From 6376946df44cbe4b672815b3bb69529acab05c17 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 14:20:59 +0100 Subject: [PATCH 001/331] Devel 2.x (#1216) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an includ… * Awscli version support pr devel (#793) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for… * Pin aws collection version pr devel (#796) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file… * Fix ce provision vars pr devel (#798) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for … * First attempt at an ELB role (#800) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Aws lb role pr devel (#801) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Fix debian release issues pr devel (#802) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file … * Linting fixes pr devel (#804) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML adm… * Aws lb role pr devel (#806) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Aws lb role pr devel (#807) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Linting fixes pr devel (#808) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML adm… * Aws lb role pr devel (#809) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Aws lb role pr devel (#810) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Aws lb role pr devel (#811) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Aws lb role pr devel (#812) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Linting fixes pr devel (#813) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML adm… * Aws lb role pr devel (#815) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Apache nginx tweaks pr devel (#817) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Asg no alb pr devel (#820) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins… * Ipv6 support pr devel (#822) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#823) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#824) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#825) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#826) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#827) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#828) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#829) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Linting fixes pr devel (#831) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML adm… * Ipv6 support pr devel (#833) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Ipv6 support pr devel (#834) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Npm support pr devel (#836) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Npm support pr devel (#837) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * User deploy key fix pr devel (#839) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Support private keys pr devel (#841) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Support private keys pr devel (#843) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Support private keys pr devel (#844) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Support private keys pr devel (#845) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Support private keys pr devel (#847) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Aws cli for ce roles pr devel (#848) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Efs role namespacing pr devel (#850) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Efs role namespacing pr devel (#852) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Make nginx ssl protocols modifiable pr devel (#853) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an inc… * Opcache vars pr devel (#854) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admi… * Namespacing fixes pr devel (#857) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Suppress ec2 creation pr devel (#867) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for … * Suppress ec2 creation pr devel (#869) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for … * Suppress ec2 creation pr devel (#870) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for … * Suppress ec2 creation pr devel (#871) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for … * Remove eip plugin pr devel (#795) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Linting fixes pr devel (#874) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML adm… * Namespacing fixes pr devel (#877) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#879) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#881) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#883) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#885) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#886) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Namespacing fixes pr devel (#888) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mysql client options pr devel (#890) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Mysql client options pr devel (#893) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Ec2 instance refresh pr devel (#895) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Clamav cron pr devel (#898) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Clamav cron pr devel (#901) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Clamav cron pr devel (#902) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Clamav cron pr devel (#903) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Mattermost config pr devel (#904) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#907) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#909) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#910) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#911) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#913) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#915) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Mattermost config pr devel (#917) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Sl le flags pr devel (#919) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admin… * Mattermost config pr devel (#921) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML… * Apache role files block pr devel (#926) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file fo… * Fixed apache role files block pr devel (#928) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include f… * Lhci: Debian backports only for Buster (#897) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include f… * R64279 fix nsswitch template pr devel (#929) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include fi… * R64239 disable nginx version in headers pr devel (#932) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an… * Ec2 instance refresh pr devel (#936) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for S… * Remove opcache pr devel (#934) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML ad… * Set python version pr devel (#938) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAM… * Set python version pr devel (#940) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAM… * Set python version pr devel (#941) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAM… * Wazuh pr devel (#943) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#945) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#946) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#947) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#948) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#949) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#950) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Wazuh pr devel (#951) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * R64516 give nginx time to stop before certbot pr devel (#953) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and add… * Wazuh pr devel (#955) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Undoing PR #542. * Wazuh pr devel (#957) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * R62850 install procmail pr devel (#958) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file fo… * Fix ci and docs pr devel (#960) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML a… * Sudo role pr devel (#962) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins.… * Sudo role pr devel (#964) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins.… * Sudo role pr devel (#966) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins.… * Sudo role pr devel (#968) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins.… * Unattended upgrades pr devel (#970) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#972) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#973) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#974) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#975) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#976) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#977) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Unattended upgrades pr devel (#978) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Sudo fix pr devel (#981) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. … * Unattended upgrades pr devel (#979) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SA… * Sudo fix pr devel (#983) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Opensearch pr devel (#985) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Adding new AWS OpenSearch role. * Adding new lines. * Le fixes pr devel (#988) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. * Hostname handling pr devel (#990) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. * Hostname handling pr devel (#992) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr devel (#993) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Read only efs handling pr devel (#995) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. * Read only efs handling pr devel (#997) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Read only efs handling pr devel (#997)" (#998) This reverts commit b46b3642320665f9647f87d4dba6bdf56c8d4125. * Revert "Read only efs handling pr devel (#995)" (#999) This reverts commit 02baa1c6635515a7fe6cf72721698b81f9906dc7. * Read only efs handling pr devel (#1001) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Updating EFS docs. * Adding note on how to find creation_token. * Read only efs handling pr devel (#1001) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Updating EFS docs. * Adding note on how to find creation_token. * Cloudwatch alarms pr devel (#1004) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. * Cloudwatch alarms pr devel (#1006) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr devel (#1008) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr devel (#1010) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Le reload on renew pr devel (#1012) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Ldap le group pr devel (#1014) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. * Improved rkhunter conf pr devel (#1016) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr devel (#1018) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * Rkhunter command pr devel (#1020) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command --------- Co-authored-by: Greg Harvey * Rkhunter command pr devel (#1023) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command * add_quotes --------- Co-authored-by: Greg Harvey * Bug fixes pr devel (#1024) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1026) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1027) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1028) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1031) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1033) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1036) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1039) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1040) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1041) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1042) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1043) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1044) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1046) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Bug fixes pr devel (#1051) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Lhci software versions pr devel (#1049) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Allowing setting of package versions for LHCI. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Fix pyyaml pr devel (#899) * Fixing PyYAML version issues with linters. * Tweaking order to ensure we have clean Ansible before we install other packages. * cloud-init needs to come from Apt. * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Removing leaked devel changes. * Removing leaked devel changes. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> * Optional linters pr devel (#1054) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Bug fixes pr devel (#1056) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1058) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1060) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1062) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Pin community.aws to v5.5.0 (#1063) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set t… * Bug fixes pr devel (#1065) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1067) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * R65626 rkhunter ssh config pr devel (#1070) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because … * Tidying up task output pr devel (#1072) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of L… * Apt extra packages cache update change pr devel (#1074) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in… * R65886 unattended upgrades schedule conf pr devel (#1084) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role … * Ecs clusters pr devel (#1088) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Update defaults pr devel (#1080) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Check that vars_dirs locations exist devel (#1082) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI b… * Sudo ldap config pr devel (#1092) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Ecs clusters pr devel (#1090) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * LDAP endpoints already contain protocol. (#1096) * Ecs clusters pr devel (#1095) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Ecs clusters pr devel (#1100) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Ecs clusters pr devel (#1102) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Ecs clusters pr devel (#1103) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Ecs clusters pr devel (#1104) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * … * Bug fixes pr devel (#1105) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * R65800 unpin boto3 version pr devel (#1107) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because … * Bug fixes pr devel (#1111) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1113) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1115) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1117) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1119) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1121) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1123) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1126) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1128) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1130) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1131) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1132) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1133) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * R66519 r66187 fix postfix transport map db pr devel (#1135) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta rol… * Bug fixes pr devel (#1137) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Bug fixes pr devel (#1140) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. *… * Vhosts handling pr devel (#1142) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Opensearch fix pr devel (#1144) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Opensearch fix3 pr devel (#1146) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Opensearch fix4 pr devel (#1148) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * Bug fixes pr devel (#1151) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fi… * Bug fixes pr devel (#1152) * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing di… * Bug fixes pr devel (#1153) * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * … * Bug fixes pr devel (#1155) * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh … * Bug fixes pr devel (#1157) * Excluding firewall from container builds. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature bra… * Bug fixes pr devel (#1159) * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to… * Bug fixes pr devel (#1160) * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need … * Bug fixes pr devel (#1161) * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to … * r66647-changing-cloudalchemy-to-prometheus * Bug fixes pr devel (#1163) * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds.… * Bug fixes pr devel (#1166) * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. … * R65629 update cron reload to use full service binary path pr devel (#1167) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the … * Bug fixes pr devel (#1172) * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS AP… * Duplicity apt to pip install role pr devel (#1174) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI b… * We dont need to json filter anymore pr devel (#1177) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI… * Ansible 2.15.3 bug workaround attempt pr devel (#1179) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in … * Bug fixes pr devel (#1181) * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management … * Bug fixes pr devel (#1183) * Fixing pipefail linting issues. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Missed one! * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS … * Rkhunter pkgmgr pr devel (#1184) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. … * R66858 updating aws efs client to use correct variables pr devel (#1190) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the de… * Bug fixes pr devel (#1192) * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domai… * Bug fixes pr devel (#1193) * Moving executable to args. * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains … * Bug fixes pr devel (#1195) * Trying the full Ansible namespace for ipsubnet() filter. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#676) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra opti… * Bug fixes pr devel (#1197) * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#676) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string… * R57339 adding autodiscovery block in dupal common pr devel (#1199) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy m… * Bug fixes pr devel (#1201) * Bug fixes pr 1.x (#1057) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Bug fixes pr 1.x (#1059) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Update amazon.aws to 5.5.0. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * Upgrading to Debian 11 for new machines. (#1061) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Pin community.aws to v5.5.0 (#1064) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Bug fixes pr 1.x (#1066) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Bug fixes pr 1.x (#1068) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * R65626 rkhunter ssh config pr 1.x (#1071) * r65626 fix rkhunter config to match sshd_config * add Protocol var for ssh template * tidying_up_task_output (#1073) * apt_extra_packages_cache_update_change (#1075) * r65886 unattended-upgrades schedule refreshes (#1085) * Update defaults pr 1.x (#1081) * Fixing up ce-provision defaults to latest stable or LTS versions. * Updating docs. * Adding ElastiCache role and docs for rkhunter and sshd. (#1089) * Adding handling for /etc/sudo-ldap.conf. (#1093) * Check that vars_dirs locations exist. (#1083) * LDAP endpoints already contain protocol. (#1097) * Ecs clusters pr 1.x (#1091) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * Ecs clusters pr 1.x (#1101) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * AWS LC migration to launch templates. * Forgot to add region, profile and tags for Elasticache. * Elasticache plugin doesn't support tags. * Adding subnet group creation. * Adding TODO for future memcached handling. * Removing deprecated 'warn' arg from shell. * Bug fixes pr 1.x (#1106) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * unpin boto3 version but leave ensure present task for now (#1108) * Adding extra deploy perms for ECS and minor fixes. * Bug fixes pr 1.x (#1112) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * Bug fixes pr 1.x (#1114) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Bug fixes pr 1.x (#1116) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Bug fixes pr 1.x (#1118) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Bug fixes pr 1.x (#1120) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Bug fixes pr 1.x (#1122) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Bug fixes pr 1.x (#1124) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Bug fixes pr 1.x (#1127) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Bug fixes pr 1.x (#1129) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Adding new AWS OpenSearch role. (#986) * Adding new AWS OpenSearch role. * Adding new lines. * move transport and sasl_passwd db generation from handler to task (#1136) * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Bug fixes pr 1.x (#1138) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Bug fixes pr 1.x (#1141) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * vhosts_handling (#1143) * vhosts_handling * opensearch typo fix * opensearch_fix (#1145) * fix policy file type (#1147) * opensearch_fix4 (#1149) * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Bug fixes pr 1.x (#1150) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Bug fixes pr 1.x (#1154) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Bug fixes pr 1.x (#1156) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Putting the ssh_server role higher up in meta plays. * Using jinja2 to set a default PermitRootLogin variable in rkhunter. * Missed an instance of galaxy management for ce_deploy. * Missed ANOTHER instance of galaxy management for ce_deploy. * Bug fixes pr 1.x (#1158) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix … * Bug fixes pr devel (#1203) * No loop for galaxy, so cannot use 'item'. * Bug fixes pr 1.x (#1059) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Update amazon.aws to 5.5.0. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * Upgrading to Debian 11 for new machines. (#1061) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Pin community.aws to v5.5.0 (#1064) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Bug fixes pr 1.x (#1066) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Bug fixes pr 1.x (#1068) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * R65626 rkhunter ssh config pr 1.x (#1071) * r65626 fix rkhunter config to match sshd_config * add Protocol var for ssh template * tidying_up_task_output (#1073) * apt_extra_packages_cache_update_change (#1075) * r65886 unattended-upgrades schedule refreshes (#1085) * Update defaults pr 1.x (#1081) * Fixing up ce-provision defaults to latest stable or LTS versions. * Updating docs. * Adding ElastiCache role and docs for rkhunter and sshd. (#1089) * Adding handling for /etc/sudo-ldap.conf. (#1093) * Check that vars_dirs locations exist. (#1083) * LDAP endpoints already contain protocol. (#1097) * Ecs clusters pr 1.x (#1091) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * Ecs clusters pr 1.x (#1101) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * AWS LC migration to launch templates. * Forgot to add region, profile and tags for Elasticache. * Elasticache plugin doesn't support tags. * Adding subnet group creation. * Adding TODO for future memcached handling. * Removing deprecated 'warn' arg from shell. * Bug fixes pr 1.x (#1106) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * unpin boto3 version but leave ensure present task for now (#1108) * Adding extra deploy perms for ECS and minor fixes. * Bug fixes pr 1.x (#1112) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * Bug fixes pr 1.x (#1114) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Bug fixes pr 1.x (#1116) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Bug fixes pr 1.x (#1118) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Bug fixes pr 1.x (#1120) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Bug fixes pr 1.x (#1122) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Bug fixes pr 1.x (#1124) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Bug fixes pr 1.x (#1127) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Bug fixes pr 1.x (#1129) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Adding new AWS OpenSearch role. (#986) * Adding new AWS OpenSearch role. * Adding new lines. * move transport and sasl_passwd db generation from handler to task (#1136) * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Bug fixes pr 1.x (#1138) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Bug fixes pr 1.x (#1141) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * vhosts_handling (#1143) * vhosts_handling * opensearch typo fix * opensearch_fix (#1145) * fix policy file type (#1147) * opensearch_fix4 (#1149) * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Bug fixes pr 1.x (#1150) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Bug fixes pr 1.x (#1154) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Bug fixes pr 1.x (#1156) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Putting the ssh_server role higher up in meta plays. * Using jinja2 to set a default PermitRootLogin variable in rkhunter. * Missed an instance of galaxy management for ce_deploy. * Missed ANOTHER instance of galaxy management for ce_deploy. * Bug fixes pr 1.x (#1158) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Putting the ssh_server role higher up in meta plays. * Using jinja2 to set a default PermitRootLogin variable in rkhunter. * Missed an instance of galaxy management for ce_deploy. * Missed ANOTHER instance of galaxy management for ce_deploy. * Updating autoscale docs and adding ansible.windows collection for Wazuh. * Bug fixes pr 1.x (#1164) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. … * Nginx css js handling for drupal10 pr devel (#1205) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI … * Nginx css js handling for drupal10 pr devel (#1207) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI … * Organizing nginx config pr devel (#1208) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of … * Drupal10 nginx rule order fix pr devel (#1210) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 (#982) * Sudo fix pr 1.x (#984) * Changing sudoers order in nsswitch.conf - see https://unix.stackexchange.com/a/129080 * Making sudo_config role more flexible. * Improving nginx docs post-training. * Updating documentation files. * Minor LE SSL docs changes. (#989) * Adding the ability to set system hostname to hosts role. (#991) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Hostname handling pr 1.x (#994) * Adding the ability to set system hostname to hosts role. * Removing trailing space. * Adding new line at end of mailname.j2. * Adding the option to search for EFS file systems by ID. (#996) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Revert "Adding the option to search for EFS file systems by ID. (#996)" (#1000) This reverts commit 8cb9c9a4c3605270361c02c6a7eda9ed01477bde. * Read only efs handling pr 1.x (#1002) * Adding the option to search for EFS file systems by ID. * Slight EFS docs update. * Updating EFS docs. * Adding note on how to find creation_token. * Allowing empty lists for RDS cloudwatch alarms. (#1005) * Cloudwatch alarms pr 1.x (#1007) * Allowing empty lists for RDS cloudwatch alarms. * Removing presumption of AWS from gitlab_runner role. * Bug fixes pr 1.x (#1009) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Bug fixes pr 1.x (#1011) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Need to create the letsencrypt group, user plugin won't do it for you. (#1015) * Adding reload option for LetsEncrypt renewal. (#1013) * Adding reload option for LetsEncrypt renewal. * (Hopefully) fixing linting. * Missed a 'run' line. * Improved rkhunter conf pr 1.x (#1017) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Improved rkhunter conf pr 1.x (#1019) * Adding more variables for better control of rkhunter config. * Adding rkhunter docs. * Removing unnecessary quotes. * Defaulting automated rkhunter updates after apt runs. * rkhunter_web_command (#1021) * rkhunter_web_command * add_quotes * Bug fixes pr 1.x (#1025) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Bug fixes pr 1.x (#1032) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Bug fixes pr 1.x (#1034) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Bug fixes pr 1.x (#1037) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Bug fixes pr 1.x (#1045) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Bug fixes pr 1.x (#1047) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Bug fixes pr 1.x (#1052) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Allowing setting of package versions for LHCI. (#1050) * Fix pyyaml pr 1.x (#1053) * 58848 apache role pr devel (#668) * adding apache role * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Fixing some conf and vhost errors. * Removing empty line in gitlab_runner tasks. * Fixing up Apache role to configure PHP-FPM as the back-end for PHP. Co-authored-by: Jean Pierre Dentone Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#669) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#671) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Remove alb healthchecks pr devel (#672) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio * Ami repack option pr devel (#674) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Backing out of Packer logging. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI becau… * Bug fixes pr devel (#1212) * Upgrading amazon.aws to v5.5.0 in ce-deploy. * Upgrading to Debian 11 for new machines. (#1061) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Pin community.aws to v5.5.0 (#1064) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Bug fixes pr 1.x (#1066) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Bug fixes pr 1.x (#1068) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * R65626 rkhunter ssh config pr 1.x (#1071) * r65626 fix rkhunter config to match sshd_config * add Protocol var for ssh template * tidying_up_task_output (#1073) * apt_extra_packages_cache_update_change (#1075) * r65886 unattended-upgrades schedule refreshes (#1085) * Update defaults pr 1.x (#1081) * Fixing up ce-provision defaults to latest stable or LTS versions. * Updating docs. * Adding ElastiCache role and docs for rkhunter and sshd. (#1089) * Adding handling for /etc/sudo-ldap.conf. (#1093) * Check that vars_dirs locations exist. (#1083) * LDAP endpoints already contain protocol. (#1097) * Ecs clusters pr 1.x (#1091) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * Ecs clusters pr 1.x (#1101) * Adding ElastiCache role and docs for rkhunter and sshd. * Re-ordering main tasks into a logical sequence and adding ECS creation. * Double name accidentally introduced. * AWS LC migration to launch templates. * Forgot to add region, profile and tags for Elasticache. * Elasticache plugin doesn't support tags. * Adding subnet group creation. * Adding TODO for future memcached handling. * Removing deprecated 'warn' arg from shell. * Bug fixes pr 1.x (#1106) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * unpin boto3 version but leave ensure present task for now (#1108) * Adding extra deploy perms for ECS and minor fixes. * Bug fixes pr 1.x (#1112) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * Bug fixes pr 1.x (#1114) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Bug fixes pr 1.x (#1116) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Bug fixes pr 1.x (#1118) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Bug fixes pr 1.x (#1120) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Bug fixes pr 1.x (#1122) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Bug fixes pr 1.x (#1124) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Bug fixes pr 1.x (#1127) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Bug fixes pr 1.x (#1129) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Adding new AWS OpenSearch role. (#986) * Adding new AWS OpenSearch role. * Adding new lines. * move transport and sasl_passwd db generation from handler to task (#1136) * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Bug fixes pr 1.x (#1138) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Bug fixes pr 1.x (#1141) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * vhosts_handling (#1143) * vhosts_handling * opensearch typo fix * opensearch_fix (#1145) * fix policy file type (#1147) * opensearch_fix4 (#1149) * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Bug fixes pr 1.x (#1150) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Bug fixes pr 1.x (#1154) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Bug fixes pr 1.x (#1156) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Putting the ssh_server role higher up in meta plays. * Using jinja2 to set a default PermitRootLogin variable in rkhunter. * Missed an instance of galaxy management for ce_deploy. * Missed ANOTHER instance of galaxy management for ce_deploy. * Bug fixes pr 1.x (#1158) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto role to set version. * Updating Packer version and adding README. * Ensuring 'cron' package is installed as in Debian 12 (bookworm) it isn't by default. * Making different tasks for pip3 per OS version. * Trying to install with pip3 and become: false. * Revert "Trying to install with pip3 and become: false." This reverts commit a47fdc72482ac6410956214113b173c760097421. * Installing nginx and mysql requirements for Python from apt in Debian 12. * Casting Linux major version as an int for comparison. * Only set cron updates for older Debian where pip3 is installed manually. * Adding README to boto3 role. * Some naming tidying up. * Preparing ldap_server role for Debian 12. * Preparing ansible role to work with Debian 12. * Ensuring cloud-init exists on EC2 instances. * Preparing ce_provision role for Debian 12. * Do not need extra pip3 lines now. * Tabbing error. * Restricting roles installed in containers. * Removing the build docs step so we just publish. * Adding AWS OpenSearch role docs. * Removing whitespace differences. * Adding bsd-mailx package to common_base so we always have the 'mail' command. * Supporting multiple LDAP servers for GitLab Premium. * Updating OpenSearch role docs. * Fix bug that causes plays with no directories provided to _init to fail. * Fixing variable for LDAP switch in Gitlab for CI builds. * Trying to run GitLab tests with ubuntu-latest to see if it fixes restart issues. * Seeing if a docker restart fixes DNS problems. * Adding a sudo to service restart. * Ensuring dnsmasq is present. * Using sudo for apt-get. * Adding Ansible verbosity and stopping resolved so dnsmasq can start. * apt needs resolved to fetch repos! * Playing with service order. * Commenting service handling. * Disabling GitLab tests. * Making requirements docs Debian version specific. * Putting the ssh_server role higher up in meta plays. * Using jinja2 to set a default PermitRootLogin variable in rkhunter. * Missed an instance of galaxy management for ce_deploy. * Missed ANOTHER instance of galaxy management for ce_deploy. * Updating autoscale docs and adding ansible.windows collection for Wazuh. * Bug fixes pr 1.x (#1164) * Fixing shell issues with new runners. * Putting quotes around basic auth password file for Nginx. * Must not surround SAN cert names with quotes for ACM. * Some LDAP services might not necessarily be there. * MySQL Server key out of date, moving to variable. * Incorrect MySQL repo key. * Trying a different key server. * Loading service information into ansible_facts. * Fixing vhost template bug that breaks LE. * Excluding firewall from container builds. * Fixing linting errors. * Trying to fix linter paths. * Removing trailing space in unattended-upgrades. * Fixing ansible.builtin namespacing for linting. * Fixing key-order linting issue in _init. * Got 'when' and 'block' the wrong way around. * One last ansible.builtin issue. * Fixing jinja in when. * Switching ignore_errors for failed_when. * Adding auto-upgrade cron to pip and ansible. * Create cron jobs to upgrade mandatory Galaxy collections. * Adding defaults for package upgrades. * Minor bug fix in galaxy handling. * Make sure we install galaxy collections as the controller user. * Literals need a double slash. * Adding Galaxy upgrades to ce-deploy as well. * Fixing inconsistent requirements.yml format for ce_deploy. * Fixing pipefail linting issues. * Missed one! * Adding executable to shell commands with pipefail set. * Moving executable to args. * Moving ansible-lint run to latest Ubuntu. * Trying the full Ansible namespace for ipsubnet() filter. * Improving galaxy upgrade handling and pinning amazon.aws collection at version 4.5.0. * Applying same galaxy changes to ce-provision. * No loop for galaxy, so cannot use 'item'. * Officially defaulting to Debian 11 (bullseye) for new machines. * Upgrading amazon.aws to v5.5.0 in ce-deploy. * community.aws also needs pinning at version 5.5.0. * Adding week day support to clamscan cron. * Updating docs. * Supporting cron weekday for LetsEncrypt. * Removing deprecated 'warn' arg from shell. * Adding extra deploy perms for ECS and minor fixes. * No sense in building CF aliases if we do not need them. * Too many 'whens'. * ECR module missing vital params. * Failing because of undefined facts. * Making SimpleSAMLphp SP names more readable. * Fixing composer install bug introduced upstream, version param changed. * Docs update and supporting multiple LDAP TLS connections. * Forgot to add cert check var to pam_ldap. * Ensuring we benefit from latest 5.5.x AWS collections. * Allowing the python_boto … * Refactoring entire role structure. * Moving the wazuh role to debian packages. * Updating location of wazuh roles. * Migrating cron to systemd timers for ce_provision. * Migrating LE cron to systemd timer. * Updated docs. * Removing last cron mentions from ssl README. * Updated docs. * Migrating ldap_server role to using sysmtemd timer for backups. * Moving ossec-server to using systemd timers instead of cron. * New IAM fine-grained policies for AWS billing access. * Moving jenkins key renewal daily cron to a systemd timer. * Removing obsolete version-specific ansible tasks. * Moving Duplicity nightly backup job to a systemd timer. * Migrating clamav cron job to a systemd timer. * Documentation update. * Adding a systemd timer to upgrade Ansible. * Migrating ce_deploy role to venv and systemd timers. * Updating ce-dev config for 2.x dev. * Temporarily adding roles/ce_provision to .gitignore. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> --- .github/workflows/ce-provision-build-docs.yml | 52 +++++++++ .gitignore | 3 + ce-dev/README.md | 10 +- .../ansible/vars/provision/ce_provision.yml | 2 +- ce-dev/ce-dev.compose.yml | 6 +- docs/_Sidebar.md | 48 +-------- docs/roles/ansible.md | 27 ----- docs/roles/contrib.md | 4 + docs/roles/contrib/systemd_timers.md | 90 ++++++++++++++++ docs/roles/debian/ansible.md | 24 +++++ docs/roles/{ => debian}/apache.md | 0 docs/roles/{ => debian}/apt_extra_packages.md | 0 .../{ => debian}/apt_unattended_upgrades.md | 0 docs/roles/{aws => debian}/aws_cli.md | 0 .../{ => debian}/aws_cloudwatch_agent.md | 0 docs/roles/{aws => debian}/aws_efs_client.md | 0 docs/roles/{ => debian}/aws_ssm_agent.md | 0 docs/roles/{ => debian}/ce_deploy.md | 14 ++- docs/roles/{ => debian}/ce_dev.md | 0 docs/roles/{ => debian}/ce_patcher.md | 0 docs/roles/{ => debian}/ce_provision.md | 23 ++-- docs/roles/{ => debian}/clamav.md | 9 +- docs/roles/{ => debian}/firewall_config.md | 0 docs/roles/{ => debian}/frontail.md | 0 docs/roles/{ => debian}/gitlab.md | 0 docs/roles/{ => debian}/gitlab_runner.md | 0 docs/roles/{ => debian}/gpg_key.md | 0 docs/roles/{ => debian}/haproxy.md | 0 docs/roles/{ => debian}/hosts.md | 0 docs/roles/{ => debian}/jenkins.md | 2 + docs/roles/{ => debian}/jitsi.md | 0 docs/roles/{ => debian}/ldap_server.md | 3 +- docs/roles/{ => debian}/lhci.md | 0 docs/roles/{ => debian}/mount_sync.md | 0 docs/roles/{ => debian}/mysql_client.md | 0 .../{ => debian}/mysql_server_oracle_ce.md | 0 docs/roles/{ => debian}/nginx.md | 0 docs/roles/{ => debian}/nodejs.md | 0 docs/roles/{ => debian}/openvpn_config.md | 0 docs/roles/{ => debian}/ossec.md | 0 docs/roles/{ => debian}/packer.md | 0 docs/roles/{ => debian}/php_composer.md | 0 docs/roles/{ => debian}/php_xdebug.md | 0 docs/roles/{ => debian}/postfix.md | 0 docs/roles/{ => debian}/process_manager.md | 0 docs/roles/debian/python_boto.md | 17 +++ docs/roles/debian/python_common.md | 24 +++++ docs/roles/{ => debian}/rkhunter.md | 0 docs/roles/{ => debian}/rsyslog.md | 0 docs/roles/{ => debian}/solr.md | 0 docs/roles/{ => debian}/ssh_server.md | 0 docs/roles/{ => debian}/ssl.md | 14 ++- docs/roles/{ => debian}/sudo_config.md | 0 docs/roles/{ => debian}/varnish_config.md | 0 docs/roles/{ => debian}/wazuh.md | 2 - docs/roles/python_boto.md | 14 --- docs/roles/python_pip.md | 32 ------ roles/_meta/common_base/meta/main.yml | 22 ++-- roles/ansible/README.md | 27 ----- roles/ansible/defaults/main.yml | 14 --- roles/ansible/tasks/10.yml | 63 ----------- roles/ansible/tasks/11.yml | 63 ----------- roles/ansible/tasks/12.yml | 10 -- roles/ansible/tasks/main.yml | 14 --- .../templates/access_billing_policy.j2 | 24 ++++- roles/ce_deploy/meta/main.yml | 5 - roles/ce_provision/meta/main.yml | 7 -- roles/clamav/tasks/main.yml | 38 ------- roles/contrib/README.md | 4 + roles/debian/ansible/README.md | 24 +++++ roles/debian/ansible/defaults/main.yml | 11 ++ roles/debian/ansible/tasks/main.yml | 57 ++++++++++ roles/{ => debian}/apache/README.md | 0 roles/{ => debian}/apache/defaults/main.yml | 0 roles/{ => debian}/apache/tasks/domain.yml | 0 roles/{ => debian}/apache/tasks/main.yml | 0 .../apache/templates/_common.conf.j2 | 0 .../apache/templates/apache2.conf.j2 | 0 .../apache/templates/cloudwatch-main.json.j2 | 0 .../apache/templates/cloudwatch-vhost.json.j2 | 0 .../apache/templates/drupal7.conf.j2 | 0 .../apache/templates/flat.conf.j2 | 0 .../apache/templates/nagios.conf.j2 | 0 .../apache/templates/php-fpm.conf.j2 | 0 roles/{ => debian}/apache/templates/vhosts.j2 | 0 .../{ => debian}/apt_extra_packages/README.md | 0 .../apt_extra_packages/defaults/main.yml | 0 .../apt_extra_packages/tasks/main.yml | 0 .../apt_unattended_upgrades/README.md | 0 .../apt_unattended_upgrades/defaults/main.yml | 0 .../apt_unattended_upgrades/tasks/main.yml | 0 .../templates/20auto-upgrades.j2 | 0 .../templates/50unattended-upgrades.j2 | 0 roles/{aws => debian}/aws_cli/README.md | 0 .../{aws => debian}/aws_cli/defaults/main.yml | 0 roles/{aws => debian}/aws_cli/tasks/main.yml | 0 .../aws_cloudwatch_agent/README.md | 0 .../aws_cloudwatch_agent/defaults/main.yml | 0 .../aws_cloudwatch_agent/tasks/main.yml | 0 .../templates/config.json.j2 | 0 .../templates/credentials.j2 | 0 .../{aws => debian}/aws_efs_client/README.md | 0 .../aws_efs_client/defaults/main.yml | 0 .../aws_efs_client/tasks/fstab.yml | 0 .../aws_efs_client/tasks/main.yml | 0 .../aws_efs_client/templates/init.sh.j2 | 0 roles/{ => debian}/aws_ssm_agent/README.md | 0 .../aws_ssm_agent/defaults/main.yml | 0 .../{ => debian}/aws_ssm_agent/tasks/main.yml | 0 roles/{ => debian}/ce_deploy/README.md | 14 ++- roles/{ => debian}/ce_deploy/ansible.cfg | 0 .../{ => debian}/ce_deploy/defaults/main.yml | 14 ++- roles/debian/ce_deploy/meta/main.yml | 3 + .../ce_deploy/meta/requirements-10.yml | 0 .../ce_deploy/meta/requirements-11.yml | 0 .../ce_deploy/meta/requirements-12.yml | 0 roles/{ => debian}/ce_deploy/tasks/main.yml | 69 ++++++------ roles/{ => debian}/ce_dev/README.md | 0 roles/{ => debian}/ce_dev/tasks/main.yml | 0 roles/{ => debian}/ce_patcher/README.md | 0 .../{ => debian}/ce_patcher/defaults/main.yml | 0 roles/{ => debian}/ce_patcher/tasks/main.yml | 0 roles/{ => debian}/ce_provision/README.md | 23 ++-- roles/{ => debian}/ce_provision/ansible.cfg | 0 .../ce_provision/defaults/main.yml | 23 ++-- roles/debian/ce_provision/meta/main.yml | 5 + .../ce_provision/meta/requirements-10.yml | 0 .../ce_provision/meta/requirements-11.yml | 0 .../ce_provision/meta/requirements-12.yml | 0 .../{ => debian}/ce_provision/tasks/main.yml | 100 ++++++++---------- roles/{ => debian}/clamav/README.md | 9 +- roles/{ => debian}/clamav/defaults/main.yml | 7 +- roles/{ => debian}/clamav/meta/main.yml | 0 roles/debian/clamav/tasks/main.yml | 31 ++++++ .../{ => debian}/clamav/templates/clamscan.j2 | 0 roles/{ => debian}/docker_ce/tasks/main.yml | 0 .../docker_compose/defaults/main.yml | 0 .../{ => debian}/docker_compose/meta/main.yml | 0 .../docker_compose/tasks/main.yml | 0 .../docker_registry/defaults/main.yml | 0 .../docker_registry/meta/main.yml | 0 .../docker_registry/tasks/main.yml | 0 .../templates/docker-compose.yml.j2 | 0 .../{ => debian}/duplicity/defaults/main.yml | 4 +- roles/{ => debian}/duplicity/meta/main.yml | 0 roles/{ => debian}/duplicity/tasks/main.yml | 17 +-- .../duplicity/templates/duplicity_backup.j2 | 0 .../duplicity/templates/duplicity_clean.j2 | 0 .../duplicity/templates/duplicity_restore.j2 | 0 .../templates/include-exclude-filelist.j2 | 0 roles/{ => debian}/firewall_config/README.md | 0 .../firewall_config/defaults/main.yml | 0 .../firewall_config/tasks/main.yml | 0 roles/{ => debian}/frontail/README.md | 0 roles/{ => debian}/frontail/defaults/main.yml | 0 roles/{ => debian}/frontail/meta/main.yml | 0 roles/{ => debian}/frontail/tasks/main.yml | 0 .../frontail/templates/frontail.service.j2 | 0 roles/{ => debian}/gitlab/README.md | 0 roles/{ => debian}/gitlab/defaults/main.yml | 0 roles/{ => debian}/gitlab/meta/main.yml | 0 roles/{ => debian}/gitlab/tasks/main.yml | 0 .../gitlab/templates/docker-init.sh.j2 | 0 .../gitlab/templates/gitlab-config.rb.j2 | 0 .../gitlab/templates/gitlab.rb.j2 | 0 roles/{ => debian}/gitlab_runner/README.md | 0 .../gitlab_runner/defaults/main.yml | 0 .../{ => debian}/gitlab_runner/meta/main.yml | 0 .../{ => debian}/gitlab_runner/tasks/main.yml | 0 .../gitlab_runner/templates/fargate.toml.j2 | 0 .../gitlab_runner/templates/override.conf.j2 | 0 roles/{ => debian}/gpg_key/README.md | 0 roles/{ => debian}/gpg_key/defaults/main.yml | 0 roles/{ => debian}/gpg_key/tasks/gpg.yml | 0 roles/{ => debian}/gpg_key/tasks/main.yml | 0 roles/{ => debian}/gpg_key/templates/gpg.j2 | 0 roles/{ => debian}/haproxy/README.md | 0 roles/{ => debian}/haproxy/defaults/main.yml | 0 roles/{ => debian}/haproxy/tasks/main.yml | 0 .../templates/haproxy-ssl-passthru.cfg.j2 | 0 .../templates/haproxy-ssl-terminate.cfg.j2 | 0 .../haproxy/templates/startup.sh.j2 | 0 roles/{ => debian}/hosts/README.md | 0 roles/{ => debian}/hosts/defaults/main.yml | 0 roles/{ => debian}/hosts/handlers/main.yml | 0 roles/{ => debian}/hosts/tasks/main.yml | 0 .../{ => debian}/hosts/templates/etc_hosts.j2 | 0 .../{ => debian}/hosts/templates/hostname.j2 | 0 roles/{ => debian}/hosts/vars/main.yml | 0 roles/{ => debian}/jenkins/README.md | 2 + roles/{ => debian}/jenkins/defaults/main.yml | 2 + roles/{ => debian}/jenkins/handlers/main.yml | 0 roles/{ => debian}/jenkins/meta/main.yml | 0 roles/{ => debian}/jenkins/tasks/main.yml | 15 ++- .../templates/basic-security.groovy.j2 | 0 .../templates/jenkins-cert-renewal.sh.j2 | 0 .../{ => debian}/jenkins/templates/jenkins.j2 | 0 roles/{ => debian}/jitsi/README.md | 0 roles/{ => debian}/jitsi/defaults/main.yml | 0 roles/{ => debian}/jitsi/tasks/main.yml | 0 roles/{ => debian}/ldap_server/README.md | 3 +- .../ldap_server/defaults/main.yml | 3 +- roles/debian/ldap_server/meta/main.yml | 3 + roles/{ => debian}/ldap_server/tasks/main.yml | 25 ++--- .../ldap_server/tasks/replication.yml | 0 .../ldap_server/templates/slap-bak.j2 | 0 .../ldap_server/templates/slapd.j2 | 0 roles/{ => debian}/lhci/README.md | 0 roles/{ => debian}/lhci/defaults/main.yml | 0 roles/{ => debian}/lhci/meta/main.yml | 0 roles/{ => debian}/lhci/tasks/main.yml | 0 roles/{ => debian}/locales/defaults/main.yml | 0 roles/{ => debian}/locales/tasks/main.yml | 0 .../locales/templates/locale.gen.j2 | 0 .../{ => debian}/locales/templates/locale.j2 | 0 .../{ => debian}/memcached/defaults/main.yml | 0 roles/{ => debian}/memcached/tasks/main.yml | 0 .../memcached/templates/memcached.conf.j2 | 0 .../memcached/templates/startup.sh.j2 | 0 roles/{ => debian}/mount_sync/README.md | 0 .../{ => debian}/mount_sync/defaults/main.yml | 0 roles/{ => debian}/mount_sync/meta/main.yml | 0 roles/{ => debian}/mount_sync/tasks/main.yml | 0 .../mount_sync/templates/init-squashfs.sh.j2 | 0 .../mount_sync/templates/init-tarballs.sh.j2 | 0 roles/{ => debian}/mysql_client/README.md | 0 .../mysql_client/defaults/main.yml | 0 roles/debian/mysql_client/meta/main.yml | 3 + .../{ => debian}/mysql_client/tasks/main.yml | 0 .../mysql_client/templates/mysql.creds.j2 | 0 .../mysql_server_mariadb}/defaults/main.yml | 0 .../mysql_server_mariadb/tasks/main.yml | 0 .../templates/mysql_dev.cnf.j2 | 0 .../mysql_server_oracle_ce/README.md | 0 .../mysql_server_oracle_ce/defaults/main.yml | 4 + .../mysql_server_oracle_ce/tasks/main.yml | 0 .../templates/mysql.pref.j2 | 0 .../templates/mysql_dev.cnf.j2 | 0 .../templates/startup.sh.j2 | 0 roles/{ => debian}/nginx/README.md | 0 roles/{ => debian}/nginx/defaults/main.yml | 0 roles/debian/nginx/meta/main.yml | 3 + roles/{ => debian}/nginx/tasks/domain.yml | 0 roles/{ => debian}/nginx/tasks/main.yml | 0 roles/{ => debian}/nginx/templates/_common.j2 | 0 .../nginx/templates/cloudwatch-main.json.j2 | 0 .../nginx/templates/cloudwatch-vhost.json.j2 | 0 roles/{ => debian}/nginx/templates/custom.j2 | 0 .../nginx/templates/docker_registry.j2 | 0 .../{ => debian}/nginx/templates/drupal10.j2 | 0 roles/{ => debian}/nginx/templates/drupal7.j2 | 0 roles/{ => debian}/nginx/templates/drupal8.j2 | 0 .../nginx/templates/drupal_common.j2 | 0 roles/{ => debian}/nginx/templates/flat.j2 | 0 .../nginx/templates/maintenance-vhosts.j2 | 0 .../nginx/templates/maintenance.html.j2 | 0 roles/{ => debian}/nginx/templates/matomo.j2 | 0 roles/{ => debian}/nginx/templates/mautic.j2 | 0 .../nginx/templates/nginx.conf.j2 | 0 roles/{ => debian}/nginx/templates/proxy.j2 | 0 .../nginx/templates/simplesamlphp.j2 | 0 .../{ => debian}/nginx/templates/symfony3.j2 | 0 .../{ => debian}/nginx/templates/symfony4.j2 | 0 .../nginx/templates/vhost_letsencrypt.j2 | 0 roles/{ => debian}/nginx/templates/vhosts.j2 | 0 .../{ => debian}/nginx/templates/wordpress.j2 | 0 roles/{ => debian}/nodejs/README.md | 0 roles/{ => debian}/nodejs/defaults/main.yml | 0 roles/{ => debian}/nodejs/meta/main.yml | 0 roles/{ => debian}/nodejs/tasks/main.yml | 0 .../nodejs/templates/nodesource.pref.j2 | 0 roles/{ => debian}/openjdk/defaults/main.yml | 0 roles/{ => debian}/openjdk/tasks/main.yml | 0 roles/{ => debian}/openvpn_config/README.md | 0 .../openvpn_config/defaults/main.yml | 0 .../openvpn_config/tasks/main.yml | 0 .../templates/auth-ldap.conf.j2 | 0 .../openvpn_config/templates/openvpn.j2 | 0 .../openvpn_config/templates/vars.j2 | 0 roles/{ => debian}/ossec/README.md | 0 roles/{ => debian}/ossec/defaults/main.yml | 0 .../{ => debian}/ossec/files/local_rules.xml | 0 .../ossec/files/ossec-client-logrotate | 0 roles/{ => debian}/ossec/handlers/main.yml | 0 roles/{ => debian}/ossec/tasks/main.yml | 0 .../{ => debian}/ossec/tasks/ossec-client.yml | 0 .../{ => debian}/ossec/tasks/ossec-server.yml | 20 ++-- .../ossec/templates/authd.pass.j2 | 0 .../ossec/templates/ossec.conf.j2 | 0 .../ossec/templates/ossec_watchdog.j2 | 0 roles/{ => debian}/packer/README.md | 0 roles/{ => debian}/packer/defaults/main.yml | 0 roles/{ => debian}/packer/tasks/main.yml | 0 roles/{ => debian}/pam_ldap/defaults/main.yml | 0 .../pam_ldap/files/common-account | 0 roles/{ => debian}/pam_ldap/files/common-auth | 0 .../pam_ldap/files/common-password | 0 .../pam_ldap/files/common-session | 0 .../files/common-session-noninteractive | 0 roles/{ => debian}/pam_ldap/tasks/main.yml | 0 .../pam_ldap/templates/ldap-bindpw.j2 | 0 .../pam_ldap/templates/ldap.conf.j2 | 0 .../pam_ldap/templates/nslcd.conf.j2 | 0 .../pam_ldap/templates/nsswitch.conf.j2 | 0 .../templates/ssh-getkey-ldap-wrapper.sh.j2 | 0 .../pam_ldap/templates/sudo-ldap.conf.j2 | 0 .../{ => debian}/pam_linotp/defaults/main.yml | 0 roles/{ => debian}/pam_linotp/tasks/main.yml | 0 .../pam_linotp/templates/common-linotp.j2 | 0 roles/{ => debian}/php-cli/defaults/main.yml | 0 roles/{ => debian}/php-cli/meta/main.yml | 0 roles/{ => debian}/php-cli/tasks/main.yml | 0 .../php-cli/templates/php.cli.ini.j2 | 0 .../{ => debian}/php-common/defaults/main.yml | 0 roles/{ => debian}/php-common/meta/main.yml | 0 roles/{ => debian}/php-common/tasks/main.yml | 0 .../php-common/templates/sury.pref.j2 | 0 roles/{ => debian}/php-fpm/defaults/main.yml | 0 roles/{ => debian}/php-fpm/meta/main.yml | 0 roles/{ => debian}/php-fpm/tasks/main.yml | 0 .../php-fpm/templates/php.fpm.ini.j2 | 0 .../php-fpm/templates/www.conf.j2 | 0 roles/{ => debian}/php-imagick/tasks/main.yml | 0 .../php_blackfire/defaults/main.yml | 0 .../{ => debian}/php_blackfire/tasks/main.yml | 0 .../php_blackfire/templates/agent.j2 | 0 .../php_blackfire/templates/blackfire.ini.j2 | 0 .../php_blackfire/templates/startup.sh.j2 | 0 roles/{ => debian}/php_composer/README.md | 0 .../php_composer/defaults/main.yml | 0 roles/{ => debian}/php_composer/meta/main.yml | 0 .../{ => debian}/php_composer/tasks/main.yml | 0 roles/{ => debian}/php_xdebug/README.md | 0 .../{ => debian}/php_xdebug/defaults/main.yml | 0 roles/{ => debian}/php_xdebug/tasks/main.yml | 0 .../php_xdebug/templates/30-xdebug-dev.ini.j2 | 0 roles/{ => debian}/postfix/README.md | 0 roles/{ => debian}/postfix/defaults/main.yml | 0 roles/{ => debian}/postfix/files/master.cf | 0 roles/{ => debian}/postfix/handlers/main.yml | 0 roles/{ => debian}/postfix/tasks/main.yml | 0 .../postfix/templates/mailname.j2 | 0 .../{ => debian}/postfix/templates/main.cf.j2 | 0 .../postfix/templates/procmailrc_host.j2 | 0 .../postfix/templates/procmailrc_null.j2 | 0 .../postfix/templates/sasl_passwd.j2 | 0 .../postfix/templates/transport.j2 | 0 .../{ => debian}/postfix/templates/virtual.j2 | 0 roles/{ => debian}/process_manager/README.md | 0 .../process_manager/defaults/main.yml | 0 .../process_manager/tasks/main.yml | 0 .../process_manager/tasks/stop.yml | 0 roles/debian/python_boto/README.md | 17 +++ roles/debian/python_boto/defaults/main.yml | 5 + roles/debian/python_boto/meta/main.yml | 3 + roles/debian/python_boto/tasks/main.yml | 18 ++++ roles/debian/python_common/README.md | 24 +++++ roles/debian/python_common/defaults/main.yml | 12 +++ roles/debian/python_common/tasks/main.yml | 11 ++ roles/{ => debian}/redis/defaults/main.yml | 0 roles/{ => debian}/redis/tasks/main.yml | 0 .../redis/templates/dotdeb.pref.j2 | 0 .../redis/templates/redis.conf.j2 | 0 .../redis/templates/redis.sysctl.j2 | 0 .../redis/templates/startup.sh.j2 | 0 roles/{ => debian}/rkhunter/README.md | 0 roles/{ => debian}/rkhunter/defaults/main.yml | 0 roles/{ => debian}/rkhunter/handlers/main.yml | 0 roles/{ => debian}/rkhunter/tasks/main.yml | 0 .../rkhunter/templates/rkhunter.conf.j2 | 0 .../rkhunter/templates/rkhunter.default.j2 | 0 roles/{ => debian}/rsyslog/README.md | 0 roles/{ => debian}/rsyslog/defaults/main.yml | 0 roles/{ => debian}/rsyslog/tasks/main.yml | 0 .../rsyslog/templates/rsyslog.client.conf.j2 | 0 .../rsyslog/templates/rsyslog.server.conf.j2 | 0 roles/{ => debian}/selenium/defaults/main.yml | 0 roles/{ => debian}/selenium/meta/main.yml | 0 roles/{ => debian}/selenium/tasks/main.yml | 0 .../templates/selenium-daemon-start-VNC.j2 | 0 .../templates/selenium-daemon-start-XVFB.j2 | 0 .../templates/selenium-daemon-stop.j2 | 0 .../selenium/templates/selenium.init.j2 | 0 .../selenium/templates/startup.sh.j2 | 0 .../selenium/templates/xstartup.j2 | 0 roles/{ => debian}/solr/README.md | 0 roles/{ => debian}/sops/defaults/main.yml | 0 roles/{ => debian}/sops/tasks/main.yml | 0 roles/{ => debian}/squashfs/meta/main.yml | 0 roles/{ => debian}/squashfs/tasks/main.yml | 0 roles/{ => debian}/ssh_server/README.md | 0 .../{ => debian}/ssh_server/defaults/main.yml | 0 roles/{ => debian}/ssh_server/tasks/main.yml | 0 .../ssh_server/templates/group_block.j2 | 0 .../ssh_server/templates/sshd_config.j2 | 0 .../ssh_server/templates/user_block.j2 | 0 roles/{ => debian}/ssl/README.md | 14 ++- roles/{ => debian}/ssl/defaults/main.yml | 14 ++- roles/{ => debian}/ssl/tasks/copy.yml | 0 roles/{ => debian}/ssl/tasks/generate.yml | 0 roles/{ => debian}/ssl/tasks/letsencrypt.yml | 28 ++--- roles/{ => debian}/ssl/tasks/main.yml | 0 roles/{ => debian}/ssl/tasks/manual.yml | 0 roles/{ => debian}/ssl/tasks/selfsigned.yml | 0 roles/{ => debian}/ssl/tasks/unmanaged.yml | 0 .../{ => debian}/ssl/templates/le_cron.sh.j2 | 0 roles/{ => debian}/sudo_config/README.md | 0 .../sudo_config/defaults/main.yml | 0 roles/{ => debian}/sudo_config/tasks/main.yml | 0 .../sudo_config/templates/sudoer.j2 | 0 .../{ => debian}/terraform/defaults/main.yml | 0 roles/{ => debian}/terraform/tasks/main.yml | 0 .../user_ansible/defaults/main.yml | 0 .../{ => debian}/user_ansible/tasks/main.yml | 0 .../user_deploy/defaults/main.yml | 0 roles/{ => debian}/user_deploy/tasks/main.yml | 0 .../user_provision/defaults/main.yml | 0 .../user_provision/tasks/main.yml | 0 .../{ => debian}/user_root/defaults/main.yml | 0 roles/{ => debian}/user_root/tasks/main.yml | 0 roles/{ => debian}/vagrant/defaults/main.yml | 0 roles/{ => debian}/vagrant/tasks/main.yml | 0 roles/{ => debian}/varnish_config/README.md | 0 .../varnish_config/defaults/main.yml | 0 .../{ => debian}/varnish_config/meta/main.yml | 0 .../varnish_config/tasks/main.yml | 0 .../varnish_config/templates/default.vcl.j2 | 0 roles/{ => debian}/wazuh/README.md | 2 - roles/{ => debian}/wazuh/defaults/main.yml | 2 - roles/{ => debian}/wazuh/tasks/main.yml | 22 ++-- roles/duplicity/templates/duplicity-cron.j2 | 2 - roles/ldap_server/meta/main.yml | 3 - roles/mysql_client/meta/main.yml | 3 - roles/mysql_server_mariadb/defaults/main.yml | 2 - roles/nginx/meta/main.yml | 3 - roles/ossec/files/ossec-watchdog-cron | 1 - roles/python_boto/README.md | 14 --- roles/python_boto/defaults/main.yml | 2 - roles/python_boto/meta/main.yml | 3 - roles/python_boto/tasks/main.yml | 30 ------ roles/python_pip/README.md | 32 ------ roles/python_pip/defaults/main.yml | 17 --- roles/python_pip/tasks/10.yml | 50 --------- roles/python_pip/tasks/11.yml | 50 --------- roles/python_pip/tasks/12.yml | 11 -- roles/python_pip/tasks/main.yml | 3 - 446 files changed, 733 insertions(+), 870 deletions(-) create mode 100644 .github/workflows/ce-provision-build-docs.yml delete mode 100644 docs/roles/ansible.md create mode 100644 docs/roles/contrib.md create mode 100644 docs/roles/contrib/systemd_timers.md create mode 100644 docs/roles/debian/ansible.md rename docs/roles/{ => debian}/apache.md (100%) rename docs/roles/{ => debian}/apt_extra_packages.md (100%) rename docs/roles/{ => debian}/apt_unattended_upgrades.md (100%) rename docs/roles/{aws => debian}/aws_cli.md (100%) rename docs/roles/{ => debian}/aws_cloudwatch_agent.md (100%) rename docs/roles/{aws => debian}/aws_efs_client.md (100%) rename docs/roles/{ => debian}/aws_ssm_agent.md (100%) rename docs/roles/{ => debian}/ce_deploy.md (71%) rename docs/roles/{ => debian}/ce_dev.md (100%) rename docs/roles/{ => debian}/ce_patcher.md (100%) rename docs/roles/{ => debian}/ce_provision.md (63%) rename docs/roles/{ => debian}/clamav.md (71%) rename docs/roles/{ => debian}/firewall_config.md (100%) rename docs/roles/{ => debian}/frontail.md (100%) rename docs/roles/{ => debian}/gitlab.md (100%) rename docs/roles/{ => debian}/gitlab_runner.md (100%) rename docs/roles/{ => debian}/gpg_key.md (100%) rename docs/roles/{ => debian}/haproxy.md (100%) rename docs/roles/{ => debian}/hosts.md (100%) rename docs/roles/{ => debian}/jenkins.md (81%) rename docs/roles/{ => debian}/jitsi.md (100%) rename docs/roles/{ => debian}/ldap_server.md (97%) rename docs/roles/{ => debian}/lhci.md (100%) rename docs/roles/{ => debian}/mount_sync.md (100%) rename docs/roles/{ => debian}/mysql_client.md (100%) rename docs/roles/{ => debian}/mysql_server_oracle_ce.md (100%) rename docs/roles/{ => debian}/nginx.md (100%) rename docs/roles/{ => debian}/nodejs.md (100%) rename docs/roles/{ => debian}/openvpn_config.md (100%) rename docs/roles/{ => debian}/ossec.md (100%) rename docs/roles/{ => debian}/packer.md (100%) rename docs/roles/{ => debian}/php_composer.md (100%) rename docs/roles/{ => debian}/php_xdebug.md (100%) rename docs/roles/{ => debian}/postfix.md (100%) rename docs/roles/{ => debian}/process_manager.md (100%) create mode 100644 docs/roles/debian/python_boto.md create mode 100644 docs/roles/debian/python_common.md rename docs/roles/{ => debian}/rkhunter.md (100%) rename docs/roles/{ => debian}/rsyslog.md (100%) rename docs/roles/{ => debian}/solr.md (100%) rename docs/roles/{ => debian}/ssh_server.md (100%) rename docs/roles/{ => debian}/ssl.md (92%) rename docs/roles/{ => debian}/sudo_config.md (100%) rename docs/roles/{ => debian}/varnish_config.md (100%) rename docs/roles/{ => debian}/wazuh.md (97%) delete mode 100644 docs/roles/python_boto.md delete mode 100644 docs/roles/python_pip.md delete mode 100644 roles/ansible/README.md delete mode 100644 roles/ansible/defaults/main.yml delete mode 100644 roles/ansible/tasks/10.yml delete mode 100644 roles/ansible/tasks/11.yml delete mode 100644 roles/ansible/tasks/12.yml delete mode 100644 roles/ansible/tasks/main.yml delete mode 100644 roles/ce_deploy/meta/main.yml delete mode 100644 roles/ce_provision/meta/main.yml delete mode 100644 roles/clamav/tasks/main.yml create mode 100644 roles/contrib/README.md create mode 100644 roles/debian/ansible/README.md create mode 100644 roles/debian/ansible/defaults/main.yml create mode 100644 roles/debian/ansible/tasks/main.yml rename roles/{ => debian}/apache/README.md (100%) rename roles/{ => debian}/apache/defaults/main.yml (100%) rename roles/{ => debian}/apache/tasks/domain.yml (100%) rename roles/{ => debian}/apache/tasks/main.yml (100%) rename roles/{ => debian}/apache/templates/_common.conf.j2 (100%) rename roles/{ => debian}/apache/templates/apache2.conf.j2 (100%) rename roles/{ => debian}/apache/templates/cloudwatch-main.json.j2 (100%) rename roles/{ => debian}/apache/templates/cloudwatch-vhost.json.j2 (100%) rename roles/{ => debian}/apache/templates/drupal7.conf.j2 (100%) rename roles/{ => debian}/apache/templates/flat.conf.j2 (100%) rename roles/{ => debian}/apache/templates/nagios.conf.j2 (100%) rename roles/{ => debian}/apache/templates/php-fpm.conf.j2 (100%) rename roles/{ => debian}/apache/templates/vhosts.j2 (100%) rename roles/{ => debian}/apt_extra_packages/README.md (100%) rename roles/{ => debian}/apt_extra_packages/defaults/main.yml (100%) rename roles/{ => debian}/apt_extra_packages/tasks/main.yml (100%) rename roles/{ => debian}/apt_unattended_upgrades/README.md (100%) rename roles/{ => debian}/apt_unattended_upgrades/defaults/main.yml (100%) rename roles/{ => debian}/apt_unattended_upgrades/tasks/main.yml (100%) rename roles/{ => debian}/apt_unattended_upgrades/templates/20auto-upgrades.j2 (100%) rename roles/{ => debian}/apt_unattended_upgrades/templates/50unattended-upgrades.j2 (100%) rename roles/{aws => debian}/aws_cli/README.md (100%) rename roles/{aws => debian}/aws_cli/defaults/main.yml (100%) rename roles/{aws => debian}/aws_cli/tasks/main.yml (100%) rename roles/{ => debian}/aws_cloudwatch_agent/README.md (100%) rename roles/{ => debian}/aws_cloudwatch_agent/defaults/main.yml (100%) rename roles/{ => debian}/aws_cloudwatch_agent/tasks/main.yml (100%) rename roles/{ => debian}/aws_cloudwatch_agent/templates/config.json.j2 (100%) rename roles/{ => debian}/aws_cloudwatch_agent/templates/credentials.j2 (100%) rename roles/{aws => debian}/aws_efs_client/README.md (100%) rename roles/{aws => debian}/aws_efs_client/defaults/main.yml (100%) rename roles/{aws => debian}/aws_efs_client/tasks/fstab.yml (100%) rename roles/{aws => debian}/aws_efs_client/tasks/main.yml (100%) rename roles/{aws => debian}/aws_efs_client/templates/init.sh.j2 (100%) rename roles/{ => debian}/aws_ssm_agent/README.md (100%) rename roles/{ => debian}/aws_ssm_agent/defaults/main.yml (100%) rename roles/{ => debian}/aws_ssm_agent/tasks/main.yml (100%) rename roles/{ => debian}/ce_deploy/README.md (71%) rename roles/{ => debian}/ce_deploy/ansible.cfg (100%) rename roles/{ => debian}/ce_deploy/defaults/main.yml (68%) create mode 100644 roles/debian/ce_deploy/meta/main.yml rename roles/{ => debian}/ce_deploy/meta/requirements-10.yml (100%) rename roles/{ => debian}/ce_deploy/meta/requirements-11.yml (100%) rename roles/{ => debian}/ce_deploy/meta/requirements-12.yml (100%) rename roles/{ => debian}/ce_deploy/tasks/main.yml (72%) rename roles/{ => debian}/ce_dev/README.md (100%) rename roles/{ => debian}/ce_dev/tasks/main.yml (100%) rename roles/{ => debian}/ce_patcher/README.md (100%) rename roles/{ => debian}/ce_patcher/defaults/main.yml (100%) rename roles/{ => debian}/ce_patcher/tasks/main.yml (100%) rename roles/{ => debian}/ce_provision/README.md (63%) rename roles/{ => debian}/ce_provision/ansible.cfg (100%) rename roles/{ => debian}/ce_provision/defaults/main.yml (60%) create mode 100644 roles/debian/ce_provision/meta/main.yml rename roles/{ => debian}/ce_provision/meta/requirements-10.yml (100%) rename roles/{ => debian}/ce_provision/meta/requirements-11.yml (100%) rename roles/{ => debian}/ce_provision/meta/requirements-12.yml (100%) rename roles/{ => debian}/ce_provision/tasks/main.yml (64%) rename roles/{ => debian}/clamav/README.md (71%) rename roles/{ => debian}/clamav/defaults/main.yml (73%) rename roles/{ => debian}/clamav/meta/main.yml (100%) create mode 100644 roles/debian/clamav/tasks/main.yml rename roles/{ => debian}/clamav/templates/clamscan.j2 (100%) rename roles/{ => debian}/docker_ce/tasks/main.yml (100%) rename roles/{ => debian}/docker_compose/defaults/main.yml (100%) rename roles/{ => debian}/docker_compose/meta/main.yml (100%) rename roles/{ => debian}/docker_compose/tasks/main.yml (100%) rename roles/{ => debian}/docker_registry/defaults/main.yml (100%) rename roles/{ => debian}/docker_registry/meta/main.yml (100%) rename roles/{ => debian}/docker_registry/tasks/main.yml (100%) rename roles/{ => debian}/docker_registry/templates/docker-compose.yml.j2 (100%) rename roles/{ => debian}/duplicity/defaults/main.yml (69%) rename roles/{ => debian}/duplicity/meta/main.yml (100%) rename roles/{ => debian}/duplicity/tasks/main.yml (81%) rename roles/{ => debian}/duplicity/templates/duplicity_backup.j2 (100%) rename roles/{ => debian}/duplicity/templates/duplicity_clean.j2 (100%) rename roles/{ => debian}/duplicity/templates/duplicity_restore.j2 (100%) rename roles/{ => debian}/duplicity/templates/include-exclude-filelist.j2 (100%) rename roles/{ => debian}/firewall_config/README.md (100%) rename roles/{ => debian}/firewall_config/defaults/main.yml (100%) rename roles/{ => debian}/firewall_config/tasks/main.yml (100%) rename roles/{ => debian}/frontail/README.md (100%) rename roles/{ => debian}/frontail/defaults/main.yml (100%) rename roles/{ => debian}/frontail/meta/main.yml (100%) rename roles/{ => debian}/frontail/tasks/main.yml (100%) rename roles/{ => debian}/frontail/templates/frontail.service.j2 (100%) rename roles/{ => debian}/gitlab/README.md (100%) rename roles/{ => debian}/gitlab/defaults/main.yml (100%) rename roles/{ => debian}/gitlab/meta/main.yml (100%) rename roles/{ => debian}/gitlab/tasks/main.yml (100%) rename roles/{ => debian}/gitlab/templates/docker-init.sh.j2 (100%) rename roles/{ => debian}/gitlab/templates/gitlab-config.rb.j2 (100%) rename roles/{ => debian}/gitlab/templates/gitlab.rb.j2 (100%) rename roles/{ => debian}/gitlab_runner/README.md (100%) rename roles/{ => debian}/gitlab_runner/defaults/main.yml (100%) rename roles/{ => debian}/gitlab_runner/meta/main.yml (100%) rename roles/{ => debian}/gitlab_runner/tasks/main.yml (100%) rename roles/{ => debian}/gitlab_runner/templates/fargate.toml.j2 (100%) rename roles/{ => debian}/gitlab_runner/templates/override.conf.j2 (100%) rename roles/{ => debian}/gpg_key/README.md (100%) rename roles/{ => debian}/gpg_key/defaults/main.yml (100%) rename roles/{ => debian}/gpg_key/tasks/gpg.yml (100%) rename roles/{ => debian}/gpg_key/tasks/main.yml (100%) rename roles/{ => debian}/gpg_key/templates/gpg.j2 (100%) rename roles/{ => debian}/haproxy/README.md (100%) rename roles/{ => debian}/haproxy/defaults/main.yml (100%) rename roles/{ => debian}/haproxy/tasks/main.yml (100%) rename roles/{ => debian}/haproxy/templates/haproxy-ssl-passthru.cfg.j2 (100%) rename roles/{ => debian}/haproxy/templates/haproxy-ssl-terminate.cfg.j2 (100%) rename roles/{ => debian}/haproxy/templates/startup.sh.j2 (100%) rename roles/{ => debian}/hosts/README.md (100%) rename roles/{ => debian}/hosts/defaults/main.yml (100%) rename roles/{ => debian}/hosts/handlers/main.yml (100%) rename roles/{ => debian}/hosts/tasks/main.yml (100%) rename roles/{ => debian}/hosts/templates/etc_hosts.j2 (100%) rename roles/{ => debian}/hosts/templates/hostname.j2 (100%) rename roles/{ => debian}/hosts/vars/main.yml (100%) rename roles/{ => debian}/jenkins/README.md (81%) rename roles/{ => debian}/jenkins/defaults/main.yml (79%) rename roles/{ => debian}/jenkins/handlers/main.yml (100%) rename roles/{ => debian}/jenkins/meta/main.yml (100%) rename roles/{ => debian}/jenkins/tasks/main.yml (90%) rename roles/{ => debian}/jenkins/templates/basic-security.groovy.j2 (100%) rename roles/{ => debian}/jenkins/templates/jenkins-cert-renewal.sh.j2 (100%) rename roles/{ => debian}/jenkins/templates/jenkins.j2 (100%) rename roles/{ => debian}/jitsi/README.md (100%) rename roles/{ => debian}/jitsi/defaults/main.yml (100%) rename roles/{ => debian}/jitsi/tasks/main.yml (100%) rename roles/{ => debian}/ldap_server/README.md (97%) rename roles/{ => debian}/ldap_server/defaults/main.yml (94%) create mode 100644 roles/debian/ldap_server/meta/main.yml rename roles/{ => debian}/ldap_server/tasks/main.yml (90%) rename roles/{ => debian}/ldap_server/tasks/replication.yml (100%) rename roles/{ => debian}/ldap_server/templates/slap-bak.j2 (100%) rename roles/{ => debian}/ldap_server/templates/slapd.j2 (100%) rename roles/{ => debian}/lhci/README.md (100%) rename roles/{ => debian}/lhci/defaults/main.yml (100%) rename roles/{ => debian}/lhci/meta/main.yml (100%) rename roles/{ => debian}/lhci/tasks/main.yml (100%) rename roles/{ => debian}/locales/defaults/main.yml (100%) rename roles/{ => debian}/locales/tasks/main.yml (100%) rename roles/{ => debian}/locales/templates/locale.gen.j2 (100%) rename roles/{ => debian}/locales/templates/locale.j2 (100%) rename roles/{ => debian}/memcached/defaults/main.yml (100%) rename roles/{ => debian}/memcached/tasks/main.yml (100%) rename roles/{ => debian}/memcached/templates/memcached.conf.j2 (100%) rename roles/{ => debian}/memcached/templates/startup.sh.j2 (100%) rename roles/{ => debian}/mount_sync/README.md (100%) rename roles/{ => debian}/mount_sync/defaults/main.yml (100%) rename roles/{ => debian}/mount_sync/meta/main.yml (100%) rename roles/{ => debian}/mount_sync/tasks/main.yml (100%) rename roles/{ => debian}/mount_sync/templates/init-squashfs.sh.j2 (100%) rename roles/{ => debian}/mount_sync/templates/init-tarballs.sh.j2 (100%) rename roles/{ => debian}/mysql_client/README.md (100%) rename roles/{ => debian}/mysql_client/defaults/main.yml (100%) create mode 100644 roles/debian/mysql_client/meta/main.yml rename roles/{ => debian}/mysql_client/tasks/main.yml (100%) rename roles/{ => debian}/mysql_client/templates/mysql.creds.j2 (100%) rename roles/{mysql_server_oracle_ce => debian/mysql_server_mariadb}/defaults/main.yml (100%) rename roles/{ => debian}/mysql_server_mariadb/tasks/main.yml (100%) rename roles/{ => debian}/mysql_server_mariadb/templates/mysql_dev.cnf.j2 (100%) rename roles/{ => debian}/mysql_server_oracle_ce/README.md (100%) create mode 100644 roles/debian/mysql_server_oracle_ce/defaults/main.yml rename roles/{ => debian}/mysql_server_oracle_ce/tasks/main.yml (100%) rename roles/{ => debian}/mysql_server_oracle_ce/templates/mysql.pref.j2 (100%) rename roles/{ => debian}/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 (100%) rename roles/{ => debian}/mysql_server_oracle_ce/templates/startup.sh.j2 (100%) rename roles/{ => debian}/nginx/README.md (100%) rename roles/{ => debian}/nginx/defaults/main.yml (100%) create mode 100644 roles/debian/nginx/meta/main.yml rename roles/{ => debian}/nginx/tasks/domain.yml (100%) rename roles/{ => debian}/nginx/tasks/main.yml (100%) rename roles/{ => debian}/nginx/templates/_common.j2 (100%) rename roles/{ => debian}/nginx/templates/cloudwatch-main.json.j2 (100%) rename roles/{ => debian}/nginx/templates/cloudwatch-vhost.json.j2 (100%) rename roles/{ => debian}/nginx/templates/custom.j2 (100%) rename roles/{ => debian}/nginx/templates/docker_registry.j2 (100%) rename roles/{ => debian}/nginx/templates/drupal10.j2 (100%) rename roles/{ => debian}/nginx/templates/drupal7.j2 (100%) rename roles/{ => debian}/nginx/templates/drupal8.j2 (100%) rename roles/{ => debian}/nginx/templates/drupal_common.j2 (100%) rename roles/{ => debian}/nginx/templates/flat.j2 (100%) rename roles/{ => debian}/nginx/templates/maintenance-vhosts.j2 (100%) rename roles/{ => debian}/nginx/templates/maintenance.html.j2 (100%) rename roles/{ => debian}/nginx/templates/matomo.j2 (100%) rename roles/{ => debian}/nginx/templates/mautic.j2 (100%) rename roles/{ => debian}/nginx/templates/nginx.conf.j2 (100%) rename roles/{ => debian}/nginx/templates/proxy.j2 (100%) rename roles/{ => debian}/nginx/templates/simplesamlphp.j2 (100%) rename roles/{ => debian}/nginx/templates/symfony3.j2 (100%) rename roles/{ => debian}/nginx/templates/symfony4.j2 (100%) rename roles/{ => debian}/nginx/templates/vhost_letsencrypt.j2 (100%) rename roles/{ => debian}/nginx/templates/vhosts.j2 (100%) rename roles/{ => debian}/nginx/templates/wordpress.j2 (100%) rename roles/{ => debian}/nodejs/README.md (100%) rename roles/{ => debian}/nodejs/defaults/main.yml (100%) rename roles/{ => debian}/nodejs/meta/main.yml (100%) rename roles/{ => debian}/nodejs/tasks/main.yml (100%) rename roles/{ => debian}/nodejs/templates/nodesource.pref.j2 (100%) rename roles/{ => debian}/openjdk/defaults/main.yml (100%) rename roles/{ => debian}/openjdk/tasks/main.yml (100%) rename roles/{ => debian}/openvpn_config/README.md (100%) rename roles/{ => debian}/openvpn_config/defaults/main.yml (100%) rename roles/{ => debian}/openvpn_config/tasks/main.yml (100%) rename roles/{ => debian}/openvpn_config/templates/auth-ldap.conf.j2 (100%) rename roles/{ => debian}/openvpn_config/templates/openvpn.j2 (100%) rename roles/{ => debian}/openvpn_config/templates/vars.j2 (100%) rename roles/{ => debian}/ossec/README.md (100%) rename roles/{ => debian}/ossec/defaults/main.yml (100%) rename roles/{ => debian}/ossec/files/local_rules.xml (100%) rename roles/{ => debian}/ossec/files/ossec-client-logrotate (100%) rename roles/{ => debian}/ossec/handlers/main.yml (100%) rename roles/{ => debian}/ossec/tasks/main.yml (100%) rename roles/{ => debian}/ossec/tasks/ossec-client.yml (100%) rename roles/{ => debian}/ossec/tasks/ossec-server.yml (71%) rename roles/{ => debian}/ossec/templates/authd.pass.j2 (100%) rename roles/{ => debian}/ossec/templates/ossec.conf.j2 (100%) rename roles/{ => debian}/ossec/templates/ossec_watchdog.j2 (100%) rename roles/{ => debian}/packer/README.md (100%) rename roles/{ => debian}/packer/defaults/main.yml (100%) rename roles/{ => debian}/packer/tasks/main.yml (100%) rename roles/{ => debian}/pam_ldap/defaults/main.yml (100%) rename roles/{ => debian}/pam_ldap/files/common-account (100%) rename roles/{ => debian}/pam_ldap/files/common-auth (100%) rename roles/{ => debian}/pam_ldap/files/common-password (100%) rename roles/{ => debian}/pam_ldap/files/common-session (100%) rename roles/{ => debian}/pam_ldap/files/common-session-noninteractive (100%) rename roles/{ => debian}/pam_ldap/tasks/main.yml (100%) rename roles/{ => debian}/pam_ldap/templates/ldap-bindpw.j2 (100%) rename roles/{ => debian}/pam_ldap/templates/ldap.conf.j2 (100%) rename roles/{ => debian}/pam_ldap/templates/nslcd.conf.j2 (100%) rename roles/{ => debian}/pam_ldap/templates/nsswitch.conf.j2 (100%) rename roles/{ => debian}/pam_ldap/templates/ssh-getkey-ldap-wrapper.sh.j2 (100%) rename roles/{ => debian}/pam_ldap/templates/sudo-ldap.conf.j2 (100%) rename roles/{ => debian}/pam_linotp/defaults/main.yml (100%) rename roles/{ => debian}/pam_linotp/tasks/main.yml (100%) rename roles/{ => debian}/pam_linotp/templates/common-linotp.j2 (100%) rename roles/{ => debian}/php-cli/defaults/main.yml (100%) rename roles/{ => debian}/php-cli/meta/main.yml (100%) rename roles/{ => debian}/php-cli/tasks/main.yml (100%) rename roles/{ => debian}/php-cli/templates/php.cli.ini.j2 (100%) rename roles/{ => debian}/php-common/defaults/main.yml (100%) rename roles/{ => debian}/php-common/meta/main.yml (100%) rename roles/{ => debian}/php-common/tasks/main.yml (100%) rename roles/{ => debian}/php-common/templates/sury.pref.j2 (100%) rename roles/{ => debian}/php-fpm/defaults/main.yml (100%) rename roles/{ => debian}/php-fpm/meta/main.yml (100%) rename roles/{ => debian}/php-fpm/tasks/main.yml (100%) rename roles/{ => debian}/php-fpm/templates/php.fpm.ini.j2 (100%) rename roles/{ => debian}/php-fpm/templates/www.conf.j2 (100%) rename roles/{ => debian}/php-imagick/tasks/main.yml (100%) rename roles/{ => debian}/php_blackfire/defaults/main.yml (100%) rename roles/{ => debian}/php_blackfire/tasks/main.yml (100%) rename roles/{ => debian}/php_blackfire/templates/agent.j2 (100%) rename roles/{ => debian}/php_blackfire/templates/blackfire.ini.j2 (100%) rename roles/{ => debian}/php_blackfire/templates/startup.sh.j2 (100%) rename roles/{ => debian}/php_composer/README.md (100%) rename roles/{ => debian}/php_composer/defaults/main.yml (100%) rename roles/{ => debian}/php_composer/meta/main.yml (100%) rename roles/{ => debian}/php_composer/tasks/main.yml (100%) rename roles/{ => debian}/php_xdebug/README.md (100%) rename roles/{ => debian}/php_xdebug/defaults/main.yml (100%) rename roles/{ => debian}/php_xdebug/tasks/main.yml (100%) rename roles/{ => debian}/php_xdebug/templates/30-xdebug-dev.ini.j2 (100%) rename roles/{ => debian}/postfix/README.md (100%) rename roles/{ => debian}/postfix/defaults/main.yml (100%) rename roles/{ => debian}/postfix/files/master.cf (100%) rename roles/{ => debian}/postfix/handlers/main.yml (100%) rename roles/{ => debian}/postfix/tasks/main.yml (100%) rename roles/{ => debian}/postfix/templates/mailname.j2 (100%) rename roles/{ => debian}/postfix/templates/main.cf.j2 (100%) rename roles/{ => debian}/postfix/templates/procmailrc_host.j2 (100%) rename roles/{ => debian}/postfix/templates/procmailrc_null.j2 (100%) rename roles/{ => debian}/postfix/templates/sasl_passwd.j2 (100%) rename roles/{ => debian}/postfix/templates/transport.j2 (100%) rename roles/{ => debian}/postfix/templates/virtual.j2 (100%) rename roles/{ => debian}/process_manager/README.md (100%) rename roles/{ => debian}/process_manager/defaults/main.yml (100%) rename roles/{ => debian}/process_manager/tasks/main.yml (100%) rename roles/{ => debian}/process_manager/tasks/stop.yml (100%) create mode 100644 roles/debian/python_boto/README.md create mode 100644 roles/debian/python_boto/defaults/main.yml create mode 100644 roles/debian/python_boto/meta/main.yml create mode 100644 roles/debian/python_boto/tasks/main.yml create mode 100644 roles/debian/python_common/README.md create mode 100644 roles/debian/python_common/defaults/main.yml create mode 100644 roles/debian/python_common/tasks/main.yml rename roles/{ => debian}/redis/defaults/main.yml (100%) rename roles/{ => debian}/redis/tasks/main.yml (100%) rename roles/{ => debian}/redis/templates/dotdeb.pref.j2 (100%) rename roles/{ => debian}/redis/templates/redis.conf.j2 (100%) rename roles/{ => debian}/redis/templates/redis.sysctl.j2 (100%) rename roles/{ => debian}/redis/templates/startup.sh.j2 (100%) rename roles/{ => debian}/rkhunter/README.md (100%) rename roles/{ => debian}/rkhunter/defaults/main.yml (100%) rename roles/{ => debian}/rkhunter/handlers/main.yml (100%) rename roles/{ => debian}/rkhunter/tasks/main.yml (100%) rename roles/{ => debian}/rkhunter/templates/rkhunter.conf.j2 (100%) rename roles/{ => debian}/rkhunter/templates/rkhunter.default.j2 (100%) rename roles/{ => debian}/rsyslog/README.md (100%) rename roles/{ => debian}/rsyslog/defaults/main.yml (100%) rename roles/{ => debian}/rsyslog/tasks/main.yml (100%) rename roles/{ => debian}/rsyslog/templates/rsyslog.client.conf.j2 (100%) rename roles/{ => debian}/rsyslog/templates/rsyslog.server.conf.j2 (100%) rename roles/{ => debian}/selenium/defaults/main.yml (100%) rename roles/{ => debian}/selenium/meta/main.yml (100%) rename roles/{ => debian}/selenium/tasks/main.yml (100%) rename roles/{ => debian}/selenium/templates/selenium-daemon-start-VNC.j2 (100%) rename roles/{ => debian}/selenium/templates/selenium-daemon-start-XVFB.j2 (100%) rename roles/{ => debian}/selenium/templates/selenium-daemon-stop.j2 (100%) rename roles/{ => debian}/selenium/templates/selenium.init.j2 (100%) rename roles/{ => debian}/selenium/templates/startup.sh.j2 (100%) rename roles/{ => debian}/selenium/templates/xstartup.j2 (100%) rename roles/{ => debian}/solr/README.md (100%) rename roles/{ => debian}/sops/defaults/main.yml (100%) rename roles/{ => debian}/sops/tasks/main.yml (100%) rename roles/{ => debian}/squashfs/meta/main.yml (100%) rename roles/{ => debian}/squashfs/tasks/main.yml (100%) rename roles/{ => debian}/ssh_server/README.md (100%) rename roles/{ => debian}/ssh_server/defaults/main.yml (100%) rename roles/{ => debian}/ssh_server/tasks/main.yml (100%) rename roles/{ => debian}/ssh_server/templates/group_block.j2 (100%) rename roles/{ => debian}/ssh_server/templates/sshd_config.j2 (100%) rename roles/{ => debian}/ssh_server/templates/user_block.j2 (100%) rename roles/{ => debian}/ssl/README.md (92%) rename roles/{ => debian}/ssl/defaults/main.yml (86%) rename roles/{ => debian}/ssl/tasks/copy.yml (100%) rename roles/{ => debian}/ssl/tasks/generate.yml (100%) rename roles/{ => debian}/ssl/tasks/letsencrypt.yml (79%) rename roles/{ => debian}/ssl/tasks/main.yml (100%) rename roles/{ => debian}/ssl/tasks/manual.yml (100%) rename roles/{ => debian}/ssl/tasks/selfsigned.yml (100%) rename roles/{ => debian}/ssl/tasks/unmanaged.yml (100%) rename roles/{ => debian}/ssl/templates/le_cron.sh.j2 (100%) rename roles/{ => debian}/sudo_config/README.md (100%) rename roles/{ => debian}/sudo_config/defaults/main.yml (100%) rename roles/{ => debian}/sudo_config/tasks/main.yml (100%) rename roles/{ => debian}/sudo_config/templates/sudoer.j2 (100%) rename roles/{ => debian}/terraform/defaults/main.yml (100%) rename roles/{ => debian}/terraform/tasks/main.yml (100%) rename roles/{ => debian}/user_ansible/defaults/main.yml (100%) rename roles/{ => debian}/user_ansible/tasks/main.yml (100%) rename roles/{ => debian}/user_deploy/defaults/main.yml (100%) rename roles/{ => debian}/user_deploy/tasks/main.yml (100%) rename roles/{ => debian}/user_provision/defaults/main.yml (100%) rename roles/{ => debian}/user_provision/tasks/main.yml (100%) rename roles/{ => debian}/user_root/defaults/main.yml (100%) rename roles/{ => debian}/user_root/tasks/main.yml (100%) rename roles/{ => debian}/vagrant/defaults/main.yml (100%) rename roles/{ => debian}/vagrant/tasks/main.yml (100%) rename roles/{ => debian}/varnish_config/README.md (100%) rename roles/{ => debian}/varnish_config/defaults/main.yml (100%) rename roles/{ => debian}/varnish_config/meta/main.yml (100%) rename roles/{ => debian}/varnish_config/tasks/main.yml (100%) rename roles/{ => debian}/varnish_config/templates/default.vcl.j2 (100%) rename roles/{ => debian}/wazuh/README.md (97%) rename roles/{ => debian}/wazuh/defaults/main.yml (96%) rename roles/{ => debian}/wazuh/tasks/main.yml (86%) delete mode 100644 roles/duplicity/templates/duplicity-cron.j2 delete mode 100644 roles/ldap_server/meta/main.yml delete mode 100644 roles/mysql_client/meta/main.yml delete mode 100644 roles/mysql_server_mariadb/defaults/main.yml delete mode 100644 roles/nginx/meta/main.yml delete mode 100644 roles/ossec/files/ossec-watchdog-cron delete mode 100644 roles/python_boto/README.md delete mode 100644 roles/python_boto/defaults/main.yml delete mode 100644 roles/python_boto/meta/main.yml delete mode 100644 roles/python_boto/tasks/main.yml delete mode 100644 roles/python_pip/README.md delete mode 100644 roles/python_pip/defaults/main.yml delete mode 100644 roles/python_pip/tasks/10.yml delete mode 100644 roles/python_pip/tasks/11.yml delete mode 100644 roles/python_pip/tasks/12.yml delete mode 100644 roles/python_pip/tasks/main.yml diff --git a/.github/workflows/ce-provision-build-docs.yml b/.github/workflows/ce-provision-build-docs.yml new file mode 100644 index 000000000..fc7286a73 --- /dev/null +++ b/.github/workflows/ce-provision-build-docs.yml @@ -0,0 +1,52 @@ +name: Build docs + +# Run this workflow every time a new commit pushed to your repository +on: pull_request + +jobs: + # Set the job key. The key is displayed as the job name + # when a job name is not provided + build-docs: + # Name the Job + name: Build the documentation + # Set the type of machine to run on + runs-on: ubuntu-20.04 + + steps: + # Checks out a copy of your repository on the ubuntu-latest machine + - name: Checkout code + if: ${{ github.event.pull_request.head.ref != 'documentation' }} + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + # Configures global Git variables for committing + - name: Configure Git + run: | + git config --global user.email "sysadm@codeenigma.com" + git config --global user.name "Code Enigma CI" + git config --global pull.rebase false + + # Builds the docs + - name: Build documentation + if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }} + run: | + git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} + git fetch + /bin/sh ./contribute/toc.sh + find . -name "*.md" | xargs git add + git diff --quiet && git diff --staged --quiet || git commit -am 'GitHub Actions - Rebuilt documentation.' + git pull origin documentation + git push origin HEAD:documentation + shell: bash + + # Create docs pull request + - name: Create a documentation pull request + if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }} + uses: repo-sync/pull-request@v2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_branch: documentation + destination_branch: ${{ github.event.pull_request.base.ref }} + pr_title: Documentation update. + pr_body: "**Automated pull request** created by GitHub Actions because of a documentation update." diff --git a/.gitignore b/.gitignore index e7f2aff69..46227c0b2 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,6 @@ /ce-dev/ansible/vars/_common/*_exporter.yml /test.yml /ce-dev/ansible/plays/provision-target/indexer +/roles/contrib/* +/roles/ce_provision +!/roles/contrib/README.md diff --git a/ce-dev/README.md b/ce-dev/README.md index 3fc0e278f..c76e93673 100644 --- a/ce-dev/README.md +++ b/ce-dev/README.md @@ -57,12 +57,14 @@ You need to ensure this exists and the correct IP addresses are defined (you can `ce-dev shell` -Select the `provision-controller` instance to connect to. From there, you can run a playbook to provision the provision-target server. There are two ways to run playbooks. +Select the `provision-controller` instance to connect to. From there, you can run a playbook to provision the provision-target server. But first you will need to create your playbooks and vars, these are deliberately excluded because they will necessarily change with what you are testing, but instructions and examples can be found in `ce-dev/ansible/plays/provision-target/README.md`. + +Once that's done, there are two ways to run playbooks: 1. From the **~/ce-provision** directory, run: - `ansible-playbook ce-dev/ansible/local/provision-target.yml` + `ansible-playbook ce-dev/ansible/plays/provision-target/provision-target.yml` -1. Use the `provision.sh` wrapper script. As you're working locally, you can use the `--workspace` argument: - `/bin/sh /home/ce-dev/ce-provision/scripts/provision.sh --repo unused --branch master --workspace /home/ce-dev/ce-provision --playbook ce-dev/ansible/local/provision-target.yml` +2. Use the `provision.sh` wrapper script. As you're working locally, you can use the `--workspace` argument: + `/bin/sh /home/ce-dev/ce-provision/scripts/provision.sh --repo unused --branch master --workspace /home/ce-dev/ce-provision --playbook ce-dev/ansible/plays/provision-target/provision-target.yml` The `--repo` and `--branch` arguments are still mandatory, but they won't be used because you're passing in the `--workspace` argument as well, so you can pass through any value for those two arguments. The `--workspace` and `--playbook` arguments **must** create an absolute path to the playbook that you want to run. diff --git a/ce-dev/ansible/vars/provision/ce_provision.yml b/ce-dev/ansible/vars/provision/ce_provision.yml index 6818f88bb..d2476fe0f 100644 --- a/ce-dev/ansible/vars/provision/ce_provision.yml +++ b/ce-dev/ansible/vars/provision/ce_provision.yml @@ -2,7 +2,7 @@ ce_provision: username: "ce-dev" own_repository: "https://github.com/codeenigma/ce-provision.git" - own_repository_branch: "1.x" + own_repository_branch: "devel-2.x" own_repository_skip_checkout: true config_repository: "https://github.com/codeenigma/ce-dev-ce-provision-config.git" config_repository_branch: "1.x" diff --git a/ce-dev/ce-dev.compose.yml b/ce-dev/ce-dev.compose.yml index ccdb43a7f..78a4ac0f8 100644 --- a/ce-dev/ce-dev.compose.yml +++ b/ce-dev/ce-dev.compose.yml @@ -7,12 +7,12 @@ x-ce_dev: - ce-dev/ansible/setup.yml services: controller: - image: codeenigma/ce-dev-1.x + image: codeenigma/ce-dev-1.x:devel x-ce_dev: {} volumes: - ../:/home/ce-dev/ce-provision target: - image: codeenigma/ce-dev-1.x + image: codeenigma/ce-dev-1.x:devel x-ce_dev: host_aliases: - provision-target.local @@ -22,7 +22,7 @@ services: cap_add: - NET_ADMIN privileged: - image: codeenigma/ce-dev-1.x + image: codeenigma/ce-dev-1.x:devel x-ce_dev: host_aliases: - provision-privileged.local diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 7164f84be..079ae0cc1 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -3,23 +3,16 @@ - [Install](/install) - [Usage](/scripts) - [Roles](roles) - - [Ansible](/roles/ansible) - - [APACHE](/roles/apache) - - [Extra packages](/roles/apt_extra_packages) - - [APT Unattended Upgrades](/roles/apt_unattended_upgrades) - - [AWS Cloudwatch agent](/roles/aws_cloudwatch_agent) - [AWS Infrastructure](/roles/aws) - [AWS Certificate Manager](/roles/aws/aws_acm) - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) - - [AWS CLI](/roles/aws/aws_cli) - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) - [Cloudwatch log group](/roles/aws/aws_cloudwatch_log_group) - [Amazon credentials](/roles/aws/aws_credentials) - [Autoscale cluster](/roles/aws/aws_ec2_autoscale_cluster) - [EC2 CloudWatch Metric Alarm](/roles/aws/aws_ec2_metric_alarm) - [EC2 instance with EIP](/roles/aws/aws_ec2_with_eip) - - [EFS client](/roles/aws/aws_efs_client) - [AWS EFS](/roles/aws/aws_efs) - [AWS ElastiCache](/roles/aws/aws_elasticache) - [AWS IAM EC2](/roles/aws/aws_iam_role) @@ -33,48 +26,11 @@ - [VPC](/roles/aws/aws_vpc) - [Update main route for a given VPC](/roles/aws/aws_vpc_route) - [VPC](/roles/aws/aws_vpc_subnet) - - [AWS SSM agent](/roles/aws_ssm_agent) - - [ce-deploy](/roles/ce_deploy) - - [Extra packages](/roles/ce_dev) - - [Automated patching](/roles/ce_patcher) - - [ce-provision](/roles/ce_provision) - - [ClamAV](/roles/clamav) - - [Firewall Config](/roles/firewall_config) - - [Frontail](/roles/frontail) - - [Gitlab](/roles/gitlab) - - [Gitlab Runner](/roles/gitlab_runner) - - [GPG Key](/roles/gpg_key) - - [HA Proxy](/roles/haproxy) - - [Managed /etc/hosts](/roles/hosts) + - [Contributed roles](/roles/contrib) + - [ansible-systemd-timer](/roles/contrib/systemd_timers) - [Init role](/roles/_init) - - [Jenkins](/roles/jenkins) - - [Jitsi](/roles/jitsi) - - [LDAP Server](/roles/ldap_server) - - [LHCI](/roles/lhci) - ["Meta" roles that group individual roles together.](/roles/_meta) - [AWS account](/roles/_meta/aws_account) - [AWS client](/roles/_meta/aws_client_instance) - [AWS region](/roles/_meta/aws_region) - - [Mount sync](/roles/mount_sync) - - [MariaDB Client](/roles/mysql_client) - - [MySQL Server - Oracle Community Edition](/roles/mysql_server_oracle_ce) - - [NGINX](/roles/nginx) - - [NodeJS](/roles/nodejs) - - [OpenVPN Config](/roles/openvpn_config) - - [OSSEC](/roles/ossec) - [\_overrides.](/roles/_overrides) - - [Packer](/roles/packer) - - [PHP Composer](/roles/php_composer) - - [PHP XDebug](/roles/php_xdebug) - - [Postfix](/roles/postfix) - - [Process Manager](/roles/process_manager) - - [Python Boto](/roles/python_boto) - - [Python Pip](/roles/python_pip) - - [rkhunter](/roles/rkhunter) - - [Rsyslog](/roles/rsyslog) - - [solr](/roles/solr) - - [SSHD](/roles/ssh_server) - - [SSL](/roles/ssl) - - [sudo config](/roles/sudo_config) - - [varnish-config](/roles/varnish_config) - - [wazuh](/roles/wazuh) diff --git a/docs/roles/ansible.md b/docs/roles/ansible.md deleted file mode 100644 index 7ad8e9a9d..000000000 --- a/docs/roles/ansible.md +++ /dev/null @@ -1,27 +0,0 @@ -# Ansible -(Re-)install Ansible from the official repository. - - - - - -## Default variables -```yaml ---- -ce_ansible: - upgrade: - enabled: true # create cron job to auto-upgrade Ansible - command: "/usr/bin/python -m pip install --upgrade ansible" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 10 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true - linters: - enabled: true # will not install linters if false, installing linters breaks cloud-init - -``` - - diff --git a/docs/roles/contrib.md b/docs/roles/contrib.md new file mode 100644 index 000000000..d76d0486f --- /dev/null +++ b/docs/roles/contrib.md @@ -0,0 +1,4 @@ +# Contributed roles +This is a space for ce-provision to clone roles we use into. It is specifically for roles not available via [Ansible Galaxy](https://galaxy.ansible.com), which is always the preferred route for including other roles. + +They will be installed from [the `ce_provision.contrib_roles` variable](https://github.com/codeenigma/ce-provision/blob/devel-2.x/roles/debian/ce_provision/defaults/main.yml#L27-L33). diff --git a/docs/roles/contrib/systemd_timers.md b/docs/roles/contrib/systemd_timers.md new file mode 100644 index 000000000..ce1e6efad --- /dev/null +++ b/docs/roles/contrib/systemd_timers.md @@ -0,0 +1,90 @@ +# ansible-systemd-timer + +## About +This roles enables you to create systemd timers which call scripts or execute commands. + +## Usage + +Define a variable ```timers```. This variable is a dictionary. Every key is a new timer. + +### Example + +Here is an example for my 1337 Telegram Bot. The Timer "calls" a script which sends the message "It's now 13:37" in one of my Telegram chats every day at 13:37 GMT o'Clock. + +``` +timers: + 1337TelegramBot: + timer_precommand: /bin/bash -c '! /usr/bin/systemctl is-active --quiet other-service.service' + timer_command: /home/telegrambot/sendMessage.pl + timer_user: telegrambot + timer_OnCalendar: "*-*-* 13:37:00 CET" + timer_AccuracySec: 5s +``` + +That's all the magic. + +### Existing variables per timer + +| Variable | Required | Default value / Explanation | +|----------|----------|------------------------------| +| timer_precommand | no | Pre-command before command | +| timer_command | yes | Which command or script to execute | +| timer_envfile | no | Add environment file | +| timer_user | no | Under which users the timer_command is executed. Default: root | +| timer_persistent | no | Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. This is useful to catch up on missed runs of the service when the machine was off. Note that this setting only has an effect on timers configured with OnCalendar=. Defaults to false. [Source](https://www.freedesktop.org/software/systemd/man/systemd.timer.html) | +| timer_workingdir | no | Set [WorkingDirectory=](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#WorkingDirectory=) for the timer +| timer_OnActiveSec | no | Relative time after the timer unit was last activated | +| timer_OnBootSec | no | Relative time after the computer was booted | +| timer_OnStartupSec | no | Relative time after systemd was started | +| timer_OnUnitActiveSec | no | Relative time after the service unit was last activated | +| timer_OnUnitInactiveSec | no | Relative time after the service unit was last deactivated | +| timer_OnCalendar | no | Absolute time when to call activate the unit | +| timer_AccuracySec | no | Timer have a default accuracy of round about one minute. You can set the accuracy with this var. Default: 15s | + +You can chain every timer_On* variable. Example: + +``` +timers: + updateDNS: + timer_command: /home/dnsupdate/updateMe.pl + timer_user: dnsupdate + timer_OnStartupSec: 20s + timer_OnUnitActiveSec: 5m +``` + +The timer unit will be triggered 20 seconds after systemd was started and then every 5 minutes. + +More about timers: https://www.freedesktop.org/software/systemd/man/systemd.timer.html + +More about timespans: https://www.freedesktop.org/software/systemd/man/systemd.time.html + +### Existing variables globally, for the role +| Variable | Required | Default value / Explanation | +|----------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------| +| systemd_scope | no | Create system or user units. Default: `system`. | +| systemd_base_path | no | Where to generate the systemd unit files. Set this to e.g. `~/.config/systemd/user` when using *systemd_scope*=`user`. Default: `/etc/systemd/system`. | + +You can create user timers for non-root services in combination with `become_user: '{{ my_user }}'`. Example: +``` +systemd_base_path: ~/.config/systemd/user +systemd_scope: user +timers: + timer-one: + timer_command: ... + timer_OnCalendar: ... + timer_user: '{{ my_user }}' + ... +``` + +## Working with shell redirection + +Shell redirection does not work out of the box. You have to work around that by calling `sh` or `bash`. +This won't work: `echo hello > /var/log/hello.log` +This will work: `/usr/bin/bash -c \"echo hello > /var/log/hello.log\"` + +Tip: Always use full paths. To see where `sh` or `bash` is stored on your system you have to use `which`: + +``` +[root@pizza ~]# which bash +/usr/bin/bash +``` diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md new file mode 100644 index 000000000..eb25ec512 --- /dev/null +++ b/docs/roles/debian/ansible.md @@ -0,0 +1,24 @@ +# Ansible +(Re-)install Ansible from the official repository. + + + + + +## Default variables +```yaml +--- +ce_ansible: + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: "/home/{{ ce_provision.username }}/ansible" + #venv_command: /usr/bin/python3.11 -m venv + upgrade: + enabled: true # create systemd timer to auto-upgrade Ansible + command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too + on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + linters: + enabled: true # will not install linters if false, installing linters breaks cloud-init + +``` + + diff --git a/docs/roles/apache.md b/docs/roles/debian/apache.md similarity index 100% rename from docs/roles/apache.md rename to docs/roles/debian/apache.md diff --git a/docs/roles/apt_extra_packages.md b/docs/roles/debian/apt_extra_packages.md similarity index 100% rename from docs/roles/apt_extra_packages.md rename to docs/roles/debian/apt_extra_packages.md diff --git a/docs/roles/apt_unattended_upgrades.md b/docs/roles/debian/apt_unattended_upgrades.md similarity index 100% rename from docs/roles/apt_unattended_upgrades.md rename to docs/roles/debian/apt_unattended_upgrades.md diff --git a/docs/roles/aws/aws_cli.md b/docs/roles/debian/aws_cli.md similarity index 100% rename from docs/roles/aws/aws_cli.md rename to docs/roles/debian/aws_cli.md diff --git a/docs/roles/aws_cloudwatch_agent.md b/docs/roles/debian/aws_cloudwatch_agent.md similarity index 100% rename from docs/roles/aws_cloudwatch_agent.md rename to docs/roles/debian/aws_cloudwatch_agent.md diff --git a/docs/roles/aws/aws_efs_client.md b/docs/roles/debian/aws_efs_client.md similarity index 100% rename from docs/roles/aws/aws_efs_client.md rename to docs/roles/debian/aws_efs_client.md diff --git a/docs/roles/aws_ssm_agent.md b/docs/roles/debian/aws_ssm_agent.md similarity index 100% rename from docs/roles/aws_ssm_agent.md rename to docs/roles/debian/aws_ssm_agent.md diff --git a/docs/roles/ce_deploy.md b/docs/roles/debian/ce_deploy.md similarity index 71% rename from docs/roles/ce_deploy.md rename to docs/roles/debian/ce_deploy.md index 48c6fead5..f96ab5935 100644 --- a/docs/roles/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -11,6 +11,10 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_deploy.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" @@ -27,14 +31,8 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/ce_dev.md b/docs/roles/debian/ce_dev.md similarity index 100% rename from docs/roles/ce_dev.md rename to docs/roles/debian/ce_dev.md diff --git a/docs/roles/ce_patcher.md b/docs/roles/debian/ce_patcher.md similarity index 100% rename from docs/roles/ce_patcher.md rename to docs/roles/debian/ce_patcher.md diff --git a/docs/roles/ce_provision.md b/docs/roles/debian/ce_provision.md similarity index 63% rename from docs/roles/ce_provision.md rename to docs/roles/debian/ce_provision.md index 9149ca698..f73428cbd 100644 --- a/docs/roles/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -12,6 +12,10 @@ _ce_provision: username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" ce_provision: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_provision.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name @@ -27,20 +31,21 @@ ce_provision: config_repository_skip_checkout: false # List of additional groups to add the user to. groups: [] + # Roles downloaded from git repositories that are not available via Ansible Galaxy. + contrib_roles: + - directory: wazuh + repo: https://github.com/wazuh/wazuh-ansible.git + branch: stable + - directory: systemd_timers + repo: https://github.com/vlcty/ansible-systemd-timers.git + branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" - galaxy_roles_directory: "/home/{{ _ce_provision.username }}/.ansible/roles" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/clamav.md b/docs/roles/debian/clamav.md similarity index 71% rename from docs/roles/clamav.md rename to docs/roles/debian/clamav.md index b7e26f3e4..81a888707 100644 --- a/docs/roles/clamav.md +++ b/docs/roles/debian/clamav.md @@ -1,7 +1,7 @@ # ClamAV This role provides a wrapper for [Jeff Geerling's Ansible role for ClamAV](https://github.com/geerlingguy/ansible-role-clamav). -This role optionally provides cron scripts for routine scanning if you are not running ClamAV in daemon mode. +This role optionally provides systemd timers for routine scanning if you are not running ClamAV in daemon mode. @@ -11,12 +11,9 @@ This role optionally provides cron scripts for routine scanning if you are not r ```yaml --- clamav: - provide_cron: false + create_timer: false server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - cron_minute: "0" # Runs daily at midnight by default. - cron_hour: "0" - # cron_day: "*" - # cron_weekday: "0" # 0-6 for Sunday-Saturday + on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script log_location: /usr/local/clamav/log send_mail: false # Important: will not send any emails by default. diff --git a/docs/roles/firewall_config.md b/docs/roles/debian/firewall_config.md similarity index 100% rename from docs/roles/firewall_config.md rename to docs/roles/debian/firewall_config.md diff --git a/docs/roles/frontail.md b/docs/roles/debian/frontail.md similarity index 100% rename from docs/roles/frontail.md rename to docs/roles/debian/frontail.md diff --git a/docs/roles/gitlab.md b/docs/roles/debian/gitlab.md similarity index 100% rename from docs/roles/gitlab.md rename to docs/roles/debian/gitlab.md diff --git a/docs/roles/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md similarity index 100% rename from docs/roles/gitlab_runner.md rename to docs/roles/debian/gitlab_runner.md diff --git a/docs/roles/gpg_key.md b/docs/roles/debian/gpg_key.md similarity index 100% rename from docs/roles/gpg_key.md rename to docs/roles/debian/gpg_key.md diff --git a/docs/roles/haproxy.md b/docs/roles/debian/haproxy.md similarity index 100% rename from docs/roles/haproxy.md rename to docs/roles/debian/haproxy.md diff --git a/docs/roles/hosts.md b/docs/roles/debian/hosts.md similarity index 100% rename from docs/roles/hosts.md rename to docs/roles/debian/hosts.md diff --git a/docs/roles/jenkins.md b/docs/roles/debian/jenkins.md similarity index 81% rename from docs/roles/jenkins.md rename to docs/roles/debian/jenkins.md index 64a10778e..c4bc917dc 100644 --- a/docs/roles/jenkins.md +++ b/docs/roles/debian/jenkins.md @@ -35,6 +35,8 @@ jenkins: ldap_binddn: "{{ ldap_client.binddn }}" ldap_bindpw: "{{ ldap_client.bindpw }}" mailto: "admins@example.com" + # daily key renewal execution with systemd timer + on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/jitsi.md b/docs/roles/debian/jitsi.md similarity index 100% rename from docs/roles/jitsi.md rename to docs/roles/debian/jitsi.md diff --git a/docs/roles/ldap_server.md b/docs/roles/debian/ldap_server.md similarity index 97% rename from docs/roles/ldap_server.md rename to docs/roles/debian/ldap_server.md index 970857bec..7fb78adfb 100644 --- a/docs/roles/ldap_server.md +++ b/docs/roles/debian/ldap_server.md @@ -82,8 +82,7 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak - backup_minute: "45" - backup_hour: "23" + on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. # If you use 'letsencrypt' SSL handling then the LDAP TLS settings in your imported config should be as follows: diff --git a/docs/roles/lhci.md b/docs/roles/debian/lhci.md similarity index 100% rename from docs/roles/lhci.md rename to docs/roles/debian/lhci.md diff --git a/docs/roles/mount_sync.md b/docs/roles/debian/mount_sync.md similarity index 100% rename from docs/roles/mount_sync.md rename to docs/roles/debian/mount_sync.md diff --git a/docs/roles/mysql_client.md b/docs/roles/debian/mysql_client.md similarity index 100% rename from docs/roles/mysql_client.md rename to docs/roles/debian/mysql_client.md diff --git a/docs/roles/mysql_server_oracle_ce.md b/docs/roles/debian/mysql_server_oracle_ce.md similarity index 100% rename from docs/roles/mysql_server_oracle_ce.md rename to docs/roles/debian/mysql_server_oracle_ce.md diff --git a/docs/roles/nginx.md b/docs/roles/debian/nginx.md similarity index 100% rename from docs/roles/nginx.md rename to docs/roles/debian/nginx.md diff --git a/docs/roles/nodejs.md b/docs/roles/debian/nodejs.md similarity index 100% rename from docs/roles/nodejs.md rename to docs/roles/debian/nodejs.md diff --git a/docs/roles/openvpn_config.md b/docs/roles/debian/openvpn_config.md similarity index 100% rename from docs/roles/openvpn_config.md rename to docs/roles/debian/openvpn_config.md diff --git a/docs/roles/ossec.md b/docs/roles/debian/ossec.md similarity index 100% rename from docs/roles/ossec.md rename to docs/roles/debian/ossec.md diff --git a/docs/roles/packer.md b/docs/roles/debian/packer.md similarity index 100% rename from docs/roles/packer.md rename to docs/roles/debian/packer.md diff --git a/docs/roles/php_composer.md b/docs/roles/debian/php_composer.md similarity index 100% rename from docs/roles/php_composer.md rename to docs/roles/debian/php_composer.md diff --git a/docs/roles/php_xdebug.md b/docs/roles/debian/php_xdebug.md similarity index 100% rename from docs/roles/php_xdebug.md rename to docs/roles/debian/php_xdebug.md diff --git a/docs/roles/postfix.md b/docs/roles/debian/postfix.md similarity index 100% rename from docs/roles/postfix.md rename to docs/roles/debian/postfix.md diff --git a/docs/roles/process_manager.md b/docs/roles/debian/process_manager.md similarity index 100% rename from docs/roles/process_manager.md rename to docs/roles/debian/process_manager.md diff --git a/docs/roles/debian/python_boto.md b/docs/roles/debian/python_boto.md new file mode 100644 index 000000000..ee3e99a52 --- /dev/null +++ b/docs/roles/debian/python_boto.md @@ -0,0 +1,17 @@ +# Python Boto +Role to install the `boto3` library for Python integration with AWS services. + + + + + +## Default variables +```yaml +python_boto: + boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv +``` + + diff --git a/docs/roles/debian/python_common.md b/docs/roles/debian/python_common.md new file mode 100644 index 000000000..2c9f384f9 --- /dev/null +++ b/docs/roles/debian/python_common.md @@ -0,0 +1,24 @@ +# Python Common +Packages required by all Python scripts and applications. + + + + + +## Default variables +```yaml +--- +python_common: + remove_packages: + - python-pip + - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + - python-botocore + - python-urllib3 + install_packages: + - python3-distutils + - python3-venv + - python3-pip + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale +``` + + diff --git a/docs/roles/rkhunter.md b/docs/roles/debian/rkhunter.md similarity index 100% rename from docs/roles/rkhunter.md rename to docs/roles/debian/rkhunter.md diff --git a/docs/roles/rsyslog.md b/docs/roles/debian/rsyslog.md similarity index 100% rename from docs/roles/rsyslog.md rename to docs/roles/debian/rsyslog.md diff --git a/docs/roles/solr.md b/docs/roles/debian/solr.md similarity index 100% rename from docs/roles/solr.md rename to docs/roles/debian/solr.md diff --git a/docs/roles/ssh_server.md b/docs/roles/debian/ssh_server.md similarity index 100% rename from docs/roles/ssh_server.md rename to docs/roles/debian/ssh_server.md diff --git a/docs/roles/ssl.md b/docs/roles/debian/ssl.md similarity index 92% rename from docs/roles/ssl.md rename to docs/roles/debian/ssl.md index d5ae1c7f1..33a5ee801 100644 --- a/docs/roles/ssl.md +++ b/docs/roles/debian/ssl.md @@ -78,19 +78,17 @@ ssl: certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal - autorenew: false # set to true to create a cron job to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the cron job - # renewal_minute: "0" # minute to run renewal cron job - # renewal_hour: "0" # hour to run renewal cron job - # renewal_day: "7" # day of month to run renewal cron job - # renewal_weekday: "0" # day of week to run renewal cron job + autorenew: false # set to true to create a systemd timer to renew LE certs + certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free. # List of services to be stopped during renewal, e.g. - # services: - # - nginx + #services: + # - nginx services: [] # When certificates get renewed on a schedule you also need to reload any dependent services, such as your web server. # List of services to reload: diff --git a/docs/roles/sudo_config.md b/docs/roles/debian/sudo_config.md similarity index 100% rename from docs/roles/sudo_config.md rename to docs/roles/debian/sudo_config.md diff --git a/docs/roles/varnish_config.md b/docs/roles/debian/varnish_config.md similarity index 100% rename from docs/roles/varnish_config.md rename to docs/roles/debian/varnish_config.md diff --git a/docs/roles/wazuh.md b/docs/roles/debian/wazuh.md similarity index 97% rename from docs/roles/wazuh.md rename to docs/roles/debian/wazuh.md index 7e6d73e76..bc92ecc6d 100644 --- a/docs/roles/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -11,8 +11,6 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: - #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible - branch: "4.3" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: diff --git a/docs/roles/python_boto.md b/docs/roles/python_boto.md deleted file mode 100644 index bb0883637..000000000 --- a/docs/roles/python_boto.md +++ /dev/null @@ -1,14 +0,0 @@ -# Python Boto -Role to install the `boto3` library for Python integration with AWS services. - - - - - -## Default variables -```yaml -python_boto: - boto3_version: "1.22.13" # first version that works with 'stable-6' AWS collections - empty string means latest -``` - - diff --git a/docs/roles/python_pip.md b/docs/roles/python_pip.md deleted file mode 100644 index 91797a924..000000000 --- a/docs/roles/python_pip.md +++ /dev/null @@ -1,32 +0,0 @@ -# Python Pip -Role to install `pip3`. - -Note, the variables do not do anything for Debian 12 (bookworm) onwards, as `pip3` is handled by `apt` from then on. - - - - - -## Default variables -```yaml ---- -# Variables only valid for Debian versions below 12 (bookworm). -python_pip: - python_binary_path: "/usr/bin/python3" - pip_packages: - - "python-pip" - - "python3-pip" - upgrade: - enabled: true # create cron job to auto-upgrade pip - command: "/usr/bin/python -m pip install --upgrade pip" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true - -``` - - diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 938863506..f38aef31f 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,13 +1,13 @@ --- dependencies: - - { role: apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx"] } - - role: locales - - role: user_root - - role: apt_extra_packages - - { role: apt_unattended_upgrades, when: ( is_local is not defined or not is_local ) } - - { role: hosts, when: ( is_local is not defined or not is_local ) } - - { role: rkhunter, when: ( is_local is not defined or not is_local ) } - - role: postfix - - { role: clamav, when: ( is_local is not defined or not is_local ) } - - { role: firewall_config, when: ( is_local is not defined or not is_local ) } - - { role: sudo_config, when: ( is_local is not defined or not is_local ) } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx"] } + - role: debian/locales + - role: debian/user_root + - role: debian/apt_extra_packages + - { role: debian/apt_unattended_upgrades, when: ( is_local is not defined or not is_local ) } + - { role: debian/hosts, when: ( is_local is not defined or not is_local ) } + - { role: debian/rkhunter, when: ( is_local is not defined or not is_local ) } + - role: debian/postfix + - { role: debian/clamav, when: ( is_local is not defined or not is_local ) } + - { role: debian/firewall_config, when: ( is_local is not defined or not is_local ) } + - { role: debian/sudo_config, when: ( is_local is not defined or not is_local ) } diff --git a/roles/ansible/README.md b/roles/ansible/README.md deleted file mode 100644 index 7ad8e9a9d..000000000 --- a/roles/ansible/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# Ansible -(Re-)install Ansible from the official repository. - - - - - -## Default variables -```yaml ---- -ce_ansible: - upgrade: - enabled: true # create cron job to auto-upgrade Ansible - command: "/usr/bin/python -m pip install --upgrade ansible" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 10 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true - linters: - enabled: true # will not install linters if false, installing linters breaks cloud-init - -``` - - diff --git a/roles/ansible/defaults/main.yml b/roles/ansible/defaults/main.yml deleted file mode 100644 index 3f27cecb3..000000000 --- a/roles/ansible/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -ce_ansible: - upgrade: - enabled: true # create cron job to auto-upgrade Ansible - command: "/usr/bin/python -m pip install --upgrade ansible" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 10 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true - linters: - enabled: true # will not install linters if false, installing linters breaks cloud-init diff --git a/roles/ansible/tasks/10.yml b/roles/ansible/tasks/10.yml deleted file mode 100644 index 48d4e77ea..000000000 --- a/roles/ansible/tasks/10.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - -# Linters need a newer version of PyYAML than the one that ships with Debian. -- name: Remove older PyYAML package. - ansible.builtin.apt: - pkg: ["python3-yaml"] - state: absent - when: ce_ansible.linters.enabled - -- name: Check pip is still installed. - ansible.builtin.stat: - path: /usr/bin/pip - register: _path_to_pip - -- name: Ensure Ansible is not installed by pip. - ansible.builtin.command: - cmd: pip uninstall ansible -y - become: true - when: _path_to_pip.stat.exists - -- name: Set up pip3. - ansible.builtin.include_role: - name: python_pip - -# Not using 'apt' - this needs to be one task or we break controller servers acting on themselves. -- name: Remove and re-install Ansible. - ansible.builtin.shell: - cmd: sudo apt-get -y remove ansible && sudo pip3 install ansible - become: false - -- name: Install linters. - ansible.builtin.pip: - name: - - ansible-lint - - yamllint - executable: pip3 - when: ce_ansible.linters.enabled - -# This package gets removed with python3-yaml above but we need it for auto-scale. -- name: Install cloud-init. - ansible.builtin.apt: - name: cloud-init - when: ce_ansible.linters.enabled - -- name: Create cron entry to upgrade Ansible. - ansible.builtin.cron: - name: upgrade_ansible - minute: "{{ ce_ansible.upgrade.minute | default(omit) }}" - hour: "{{ ce_ansible.upgrade.hour | default(omit) }}" - day: "{{ ce_ansible.upgrade.day | default(omit) }}" - weekday: "{{ ce_ansible.upgrade.weekday | default(omit) }}" - month: "{{ ce_ansible.upgrade.month | default(omit) }}" - job: "{{ ce_ansible.upgrade.command }}" - state: present - disabled: "{{ ce_ansible.upgrade.disabled | default(omit) }}" - become: true - when: ce_ansible.upgrade.enabled diff --git a/roles/ansible/tasks/11.yml b/roles/ansible/tasks/11.yml deleted file mode 100644 index 48d4e77ea..000000000 --- a/roles/ansible/tasks/11.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - -# Linters need a newer version of PyYAML than the one that ships with Debian. -- name: Remove older PyYAML package. - ansible.builtin.apt: - pkg: ["python3-yaml"] - state: absent - when: ce_ansible.linters.enabled - -- name: Check pip is still installed. - ansible.builtin.stat: - path: /usr/bin/pip - register: _path_to_pip - -- name: Ensure Ansible is not installed by pip. - ansible.builtin.command: - cmd: pip uninstall ansible -y - become: true - when: _path_to_pip.stat.exists - -- name: Set up pip3. - ansible.builtin.include_role: - name: python_pip - -# Not using 'apt' - this needs to be one task or we break controller servers acting on themselves. -- name: Remove and re-install Ansible. - ansible.builtin.shell: - cmd: sudo apt-get -y remove ansible && sudo pip3 install ansible - become: false - -- name: Install linters. - ansible.builtin.pip: - name: - - ansible-lint - - yamllint - executable: pip3 - when: ce_ansible.linters.enabled - -# This package gets removed with python3-yaml above but we need it for auto-scale. -- name: Install cloud-init. - ansible.builtin.apt: - name: cloud-init - when: ce_ansible.linters.enabled - -- name: Create cron entry to upgrade Ansible. - ansible.builtin.cron: - name: upgrade_ansible - minute: "{{ ce_ansible.upgrade.minute | default(omit) }}" - hour: "{{ ce_ansible.upgrade.hour | default(omit) }}" - day: "{{ ce_ansible.upgrade.day | default(omit) }}" - weekday: "{{ ce_ansible.upgrade.weekday | default(omit) }}" - month: "{{ ce_ansible.upgrade.month | default(omit) }}" - job: "{{ ce_ansible.upgrade.command }}" - state: present - disabled: "{{ ce_ansible.upgrade.disabled | default(omit) }}" - become: true - when: ce_ansible.upgrade.enabled diff --git a/roles/ansible/tasks/12.yml b/roles/ansible/tasks/12.yml deleted file mode 100644 index 01df13e28..000000000 --- a/roles/ansible/tasks/12.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Ensure Ansible and linters are installed. - ansible.builtin.apt: - name: - - python3-yaml - - yamllint - - ansible - - ansible-lint - state: present - update_cache: true diff --git a/roles/ansible/tasks/main.yml b/roles/ansible/tasks/main.yml deleted file mode 100644 index 65990f0ab..000000000 --- a/roles/ansible/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Remove old PPA repository key for Ansible. - ansible.builtin.apt_key: - id: 93C4A3FD7BB9C367 - keyserver: keyserver.ubuntu.com - state: absent - -- name: Remove old repository for Ansible. - ansible.builtin.apt_repository: - repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" - state: absent - -- name: Load Debian version specific tasks. - ansible.builtin.include_tasks: "{{ ansible_distribution_major_version }}.yml" diff --git a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 index 7440c30e2..cf20372f8 100644 --- a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 +++ b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 @@ -3,15 +3,31 @@ "Statement": [ { "Action": [ - "aws-portal:View*", - "budgets:View*", - "cur:*" + "account:*", + "billing:*", + "invoicing:*", + "freetier:*", + "ce:*", + "cur:*", + "tax:*" ], "Effect": "Allow", "Resource": "*" }, { - "Action": "aws-portal:*Account", + "Action": [ + "account:CloseAccount", + "account:DeleteAlternateContact", + "account:PutAlternateContact", + "account:PutChallengeQuestions", + "account:PutContactInformation", + "billing:PutContractInformation", + "billing:UpdateIAMAccessPreference", + "billing:UpdateBillingPreferences", + "tax:BatchPutTaxRegistration", + "tax:DeleteTaxRegistration", + "tax:PutTaxInheritance" + ] "Effect": "Deny", "Resource": "*" } diff --git a/roles/ce_deploy/meta/main.yml b/roles/ce_deploy/meta/main.yml deleted file mode 100644 index 186d2189b..000000000 --- a/roles/ce_deploy/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: aws/aws_cli - - role: ansible - - role: python_boto diff --git a/roles/ce_provision/meta/main.yml b/roles/ce_provision/meta/main.yml deleted file mode 100644 index 7dcbcde13..000000000 --- a/roles/ce_provision/meta/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -dependencies: - - role: aws/aws_cli - - role: ansible - - role: python_boto - - role: packer - - role: terraform diff --git a/roles/clamav/tasks/main.yml b/roles/clamav/tasks/main.yml deleted file mode 100644 index 0a8fa4ab6..000000000 --- a/roles/clamav/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - -- name: Ensure the ClamAV scripts directory exists. - ansible.builtin.file: - path: "{{ clamav.scripts_location }}" - state: directory - mode: '0755' - -- name: Copy clamscan script to server. - ansible.builtin.template: - src: "clamscan.j2" - dest: "{{ clamav.scripts_location }}/clamscan" - owner: root - group: root - mode: "0755" - -- name: Ensure the ClamAV log directory exists. - ansible.builtin.file: - path: "{{ clamav.log_location }}" - state: directory - mode: '0755' - when: clamav.provide_cron - -- name: Set up a ClamAV cron run. - ansible.builtin.cron: - name: ClamAV scan - minute: "{{ clamav.cron_minute }}" - hour: "{{ clamav.cron_hour | default(omit) }}" - day: "{{ clamav.cron_day | default(omit) }}" - weekday: "{{ clamav.cron_weekday | default(omit) }}" - job: "{{ clamav.scripts_location }}/clamscan" - when: clamav.provide_cron \ No newline at end of file diff --git a/roles/contrib/README.md b/roles/contrib/README.md new file mode 100644 index 000000000..d76d0486f --- /dev/null +++ b/roles/contrib/README.md @@ -0,0 +1,4 @@ +# Contributed roles +This is a space for ce-provision to clone roles we use into. It is specifically for roles not available via [Ansible Galaxy](https://galaxy.ansible.com), which is always the preferred route for including other roles. + +They will be installed from [the `ce_provision.contrib_roles` variable](https://github.com/codeenigma/ce-provision/blob/devel-2.x/roles/debian/ce_provision/defaults/main.yml#L27-L33). diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md new file mode 100644 index 000000000..eb25ec512 --- /dev/null +++ b/roles/debian/ansible/README.md @@ -0,0 +1,24 @@ +# Ansible +(Re-)install Ansible from the official repository. + + + + + +## Default variables +```yaml +--- +ce_ansible: + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: "/home/{{ ce_provision.username }}/ansible" + #venv_command: /usr/bin/python3.11 -m venv + upgrade: + enabled: true # create systemd timer to auto-upgrade Ansible + command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too + on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + linters: + enabled: true # will not install linters if false, installing linters breaks cloud-init + +``` + + diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml new file mode 100644 index 000000000..746251010 --- /dev/null +++ b/roles/debian/ansible/defaults/main.yml @@ -0,0 +1,11 @@ +--- +ce_ansible: + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: "/home/{{ ce_provision.username }}/ansible" + #venv_command: /usr/bin/python3.11 -m venv + upgrade: + enabled: true # create systemd timer to auto-upgrade Ansible + command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too + on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + linters: + enabled: true # will not install linters if false, installing linters breaks cloud-init diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml new file mode 100644 index 000000000..d47d0f5d9 --- /dev/null +++ b/roles/debian/ansible/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Remove old PPA repository key for Ansible. + ansible.builtin.apt_key: + id: 93C4A3FD7BB9C367 + keyserver: keyserver.ubuntu.com + state: absent + +- name: Remove old repository for Ansible. + ansible.builtin.apt_repository: + repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" + state: absent + +# Linters need a newer version of PyYAML than the one that ships with Debian. +- name: Remove older PyYAML package. + ansible.builtin.apt: + pkg: python3-yaml + state: absent + when: ce_ansible.linters.enabled + +- name: Remove system Ansible. + ansible.builtin.apt: + pkg: ansible + state: absent + +- name: Set up Python packages. + ansible.builtin.include_role: + name: debian/python_common + +- name: Install Ansible. + ansible.builtin.pip: + name: + - ansible + virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + become: true + become_user: "{{ ce_provision.username }}" + +- name: Install linters. + ansible.builtin.pip: + name: + - ansible-lint + - yamllint + virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + when: ce_ansible.linters.enabled + become: true + become_user: "{{ ce_provision.username }}" + +- name: Create systemd timer to upgrade Ansible. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_ansible: + timer_command: "{{ ce_ansible.upgrade.command }}" + timer_OnCalendar: "{{ ce_ansible.upgrade.on_calendar }}" + when: ce_ansible.upgrade.enabled diff --git a/roles/apache/README.md b/roles/debian/apache/README.md similarity index 100% rename from roles/apache/README.md rename to roles/debian/apache/README.md diff --git a/roles/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml similarity index 100% rename from roles/apache/defaults/main.yml rename to roles/debian/apache/defaults/main.yml diff --git a/roles/apache/tasks/domain.yml b/roles/debian/apache/tasks/domain.yml similarity index 100% rename from roles/apache/tasks/domain.yml rename to roles/debian/apache/tasks/domain.yml diff --git a/roles/apache/tasks/main.yml b/roles/debian/apache/tasks/main.yml similarity index 100% rename from roles/apache/tasks/main.yml rename to roles/debian/apache/tasks/main.yml diff --git a/roles/apache/templates/_common.conf.j2 b/roles/debian/apache/templates/_common.conf.j2 similarity index 100% rename from roles/apache/templates/_common.conf.j2 rename to roles/debian/apache/templates/_common.conf.j2 diff --git a/roles/apache/templates/apache2.conf.j2 b/roles/debian/apache/templates/apache2.conf.j2 similarity index 100% rename from roles/apache/templates/apache2.conf.j2 rename to roles/debian/apache/templates/apache2.conf.j2 diff --git a/roles/apache/templates/cloudwatch-main.json.j2 b/roles/debian/apache/templates/cloudwatch-main.json.j2 similarity index 100% rename from roles/apache/templates/cloudwatch-main.json.j2 rename to roles/debian/apache/templates/cloudwatch-main.json.j2 diff --git a/roles/apache/templates/cloudwatch-vhost.json.j2 b/roles/debian/apache/templates/cloudwatch-vhost.json.j2 similarity index 100% rename from roles/apache/templates/cloudwatch-vhost.json.j2 rename to roles/debian/apache/templates/cloudwatch-vhost.json.j2 diff --git a/roles/apache/templates/drupal7.conf.j2 b/roles/debian/apache/templates/drupal7.conf.j2 similarity index 100% rename from roles/apache/templates/drupal7.conf.j2 rename to roles/debian/apache/templates/drupal7.conf.j2 diff --git a/roles/apache/templates/flat.conf.j2 b/roles/debian/apache/templates/flat.conf.j2 similarity index 100% rename from roles/apache/templates/flat.conf.j2 rename to roles/debian/apache/templates/flat.conf.j2 diff --git a/roles/apache/templates/nagios.conf.j2 b/roles/debian/apache/templates/nagios.conf.j2 similarity index 100% rename from roles/apache/templates/nagios.conf.j2 rename to roles/debian/apache/templates/nagios.conf.j2 diff --git a/roles/apache/templates/php-fpm.conf.j2 b/roles/debian/apache/templates/php-fpm.conf.j2 similarity index 100% rename from roles/apache/templates/php-fpm.conf.j2 rename to roles/debian/apache/templates/php-fpm.conf.j2 diff --git a/roles/apache/templates/vhosts.j2 b/roles/debian/apache/templates/vhosts.j2 similarity index 100% rename from roles/apache/templates/vhosts.j2 rename to roles/debian/apache/templates/vhosts.j2 diff --git a/roles/apt_extra_packages/README.md b/roles/debian/apt_extra_packages/README.md similarity index 100% rename from roles/apt_extra_packages/README.md rename to roles/debian/apt_extra_packages/README.md diff --git a/roles/apt_extra_packages/defaults/main.yml b/roles/debian/apt_extra_packages/defaults/main.yml similarity index 100% rename from roles/apt_extra_packages/defaults/main.yml rename to roles/debian/apt_extra_packages/defaults/main.yml diff --git a/roles/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml similarity index 100% rename from roles/apt_extra_packages/tasks/main.yml rename to roles/debian/apt_extra_packages/tasks/main.yml diff --git a/roles/apt_unattended_upgrades/README.md b/roles/debian/apt_unattended_upgrades/README.md similarity index 100% rename from roles/apt_unattended_upgrades/README.md rename to roles/debian/apt_unattended_upgrades/README.md diff --git a/roles/apt_unattended_upgrades/defaults/main.yml b/roles/debian/apt_unattended_upgrades/defaults/main.yml similarity index 100% rename from roles/apt_unattended_upgrades/defaults/main.yml rename to roles/debian/apt_unattended_upgrades/defaults/main.yml diff --git a/roles/apt_unattended_upgrades/tasks/main.yml b/roles/debian/apt_unattended_upgrades/tasks/main.yml similarity index 100% rename from roles/apt_unattended_upgrades/tasks/main.yml rename to roles/debian/apt_unattended_upgrades/tasks/main.yml diff --git a/roles/apt_unattended_upgrades/templates/20auto-upgrades.j2 b/roles/debian/apt_unattended_upgrades/templates/20auto-upgrades.j2 similarity index 100% rename from roles/apt_unattended_upgrades/templates/20auto-upgrades.j2 rename to roles/debian/apt_unattended_upgrades/templates/20auto-upgrades.j2 diff --git a/roles/apt_unattended_upgrades/templates/50unattended-upgrades.j2 b/roles/debian/apt_unattended_upgrades/templates/50unattended-upgrades.j2 similarity index 100% rename from roles/apt_unattended_upgrades/templates/50unattended-upgrades.j2 rename to roles/debian/apt_unattended_upgrades/templates/50unattended-upgrades.j2 diff --git a/roles/aws/aws_cli/README.md b/roles/debian/aws_cli/README.md similarity index 100% rename from roles/aws/aws_cli/README.md rename to roles/debian/aws_cli/README.md diff --git a/roles/aws/aws_cli/defaults/main.yml b/roles/debian/aws_cli/defaults/main.yml similarity index 100% rename from roles/aws/aws_cli/defaults/main.yml rename to roles/debian/aws_cli/defaults/main.yml diff --git a/roles/aws/aws_cli/tasks/main.yml b/roles/debian/aws_cli/tasks/main.yml similarity index 100% rename from roles/aws/aws_cli/tasks/main.yml rename to roles/debian/aws_cli/tasks/main.yml diff --git a/roles/aws_cloudwatch_agent/README.md b/roles/debian/aws_cloudwatch_agent/README.md similarity index 100% rename from roles/aws_cloudwatch_agent/README.md rename to roles/debian/aws_cloudwatch_agent/README.md diff --git a/roles/aws_cloudwatch_agent/defaults/main.yml b/roles/debian/aws_cloudwatch_agent/defaults/main.yml similarity index 100% rename from roles/aws_cloudwatch_agent/defaults/main.yml rename to roles/debian/aws_cloudwatch_agent/defaults/main.yml diff --git a/roles/aws_cloudwatch_agent/tasks/main.yml b/roles/debian/aws_cloudwatch_agent/tasks/main.yml similarity index 100% rename from roles/aws_cloudwatch_agent/tasks/main.yml rename to roles/debian/aws_cloudwatch_agent/tasks/main.yml diff --git a/roles/aws_cloudwatch_agent/templates/config.json.j2 b/roles/debian/aws_cloudwatch_agent/templates/config.json.j2 similarity index 100% rename from roles/aws_cloudwatch_agent/templates/config.json.j2 rename to roles/debian/aws_cloudwatch_agent/templates/config.json.j2 diff --git a/roles/aws_cloudwatch_agent/templates/credentials.j2 b/roles/debian/aws_cloudwatch_agent/templates/credentials.j2 similarity index 100% rename from roles/aws_cloudwatch_agent/templates/credentials.j2 rename to roles/debian/aws_cloudwatch_agent/templates/credentials.j2 diff --git a/roles/aws/aws_efs_client/README.md b/roles/debian/aws_efs_client/README.md similarity index 100% rename from roles/aws/aws_efs_client/README.md rename to roles/debian/aws_efs_client/README.md diff --git a/roles/aws/aws_efs_client/defaults/main.yml b/roles/debian/aws_efs_client/defaults/main.yml similarity index 100% rename from roles/aws/aws_efs_client/defaults/main.yml rename to roles/debian/aws_efs_client/defaults/main.yml diff --git a/roles/aws/aws_efs_client/tasks/fstab.yml b/roles/debian/aws_efs_client/tasks/fstab.yml similarity index 100% rename from roles/aws/aws_efs_client/tasks/fstab.yml rename to roles/debian/aws_efs_client/tasks/fstab.yml diff --git a/roles/aws/aws_efs_client/tasks/main.yml b/roles/debian/aws_efs_client/tasks/main.yml similarity index 100% rename from roles/aws/aws_efs_client/tasks/main.yml rename to roles/debian/aws_efs_client/tasks/main.yml diff --git a/roles/aws/aws_efs_client/templates/init.sh.j2 b/roles/debian/aws_efs_client/templates/init.sh.j2 similarity index 100% rename from roles/aws/aws_efs_client/templates/init.sh.j2 rename to roles/debian/aws_efs_client/templates/init.sh.j2 diff --git a/roles/aws_ssm_agent/README.md b/roles/debian/aws_ssm_agent/README.md similarity index 100% rename from roles/aws_ssm_agent/README.md rename to roles/debian/aws_ssm_agent/README.md diff --git a/roles/aws_ssm_agent/defaults/main.yml b/roles/debian/aws_ssm_agent/defaults/main.yml similarity index 100% rename from roles/aws_ssm_agent/defaults/main.yml rename to roles/debian/aws_ssm_agent/defaults/main.yml diff --git a/roles/aws_ssm_agent/tasks/main.yml b/roles/debian/aws_ssm_agent/tasks/main.yml similarity index 100% rename from roles/aws_ssm_agent/tasks/main.yml rename to roles/debian/aws_ssm_agent/tasks/main.yml diff --git a/roles/ce_deploy/README.md b/roles/debian/ce_deploy/README.md similarity index 71% rename from roles/ce_deploy/README.md rename to roles/debian/ce_deploy/README.md index 48c6fead5..f96ab5935 100644 --- a/roles/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -11,6 +11,10 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_deploy.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" @@ -27,14 +31,8 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/ce_deploy/ansible.cfg b/roles/debian/ce_deploy/ansible.cfg similarity index 100% rename from roles/ce_deploy/ansible.cfg rename to roles/debian/ce_deploy/ansible.cfg diff --git a/roles/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml similarity index 68% rename from roles/ce_deploy/defaults/main.yml rename to roles/debian/ce_deploy/defaults/main.yml index bc6a8a224..7902af13f 100644 --- a/roles/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -3,6 +3,10 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_deploy.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" @@ -19,11 +23,5 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_deploy/meta/main.yml b/roles/debian/ce_deploy/meta/main.yml new file mode 100644 index 000000000..ceaba0400 --- /dev/null +++ b/roles/debian/ce_deploy/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/aws_cli diff --git a/roles/ce_deploy/meta/requirements-10.yml b/roles/debian/ce_deploy/meta/requirements-10.yml similarity index 100% rename from roles/ce_deploy/meta/requirements-10.yml rename to roles/debian/ce_deploy/meta/requirements-10.yml diff --git a/roles/ce_deploy/meta/requirements-11.yml b/roles/debian/ce_deploy/meta/requirements-11.yml similarity index 100% rename from roles/ce_deploy/meta/requirements-11.yml rename to roles/debian/ce_deploy/meta/requirements-11.yml diff --git a/roles/ce_deploy/meta/requirements-12.yml b/roles/debian/ce_deploy/meta/requirements-12.yml similarity index 100% rename from roles/ce_deploy/meta/requirements-12.yml rename to roles/debian/ce_deploy/meta/requirements-12.yml diff --git a/roles/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml similarity index 72% rename from roles/ce_deploy/tasks/main.yml rename to roles/debian/ce_deploy/tasks/main.yml index f5bbaf6da..407b8bf99 100644 --- a/roles/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -1,11 +1,4 @@ --- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - - name: Create the deploy group. ansible.builtin.group: name: "{{ ce_deploy.username }}" @@ -43,6 +36,20 @@ dest: "{{ _ce_provision_data_dir }}" src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.key_name }}" +# Install Python applications. +- name: Set up Python venv variables. + ansible.builtin.set_fact: + _venv_path: "{{ ce_deploy.venv_path }}" + _venv_command: "{{ ce_deploy.venv_command }}" + +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + +- name: Install python_boto. + ansible.builtin.include_role: + name: debian/python_boto + - name: Ensure Git is installed. ansible.builtin.apt: pkg: "git" @@ -148,45 +155,37 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "ansible-galaxy install -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" become: true become_user: "{{ ce_deploy.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "ansible-galaxy install -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" become: true become_user: "{{ ce_deploy.username }}" when: _ce_deploy_custom_galaxy_requirements.stat.exists -- name: Create cron entries to upgrade mandatory ansible-galaxy collections. - ansible.builtin.cron: - name: "upgrade_ce_deploy_ansible_galaxy_mandatory" - minute: "{{ ce_deploy.upgrade_galaxy.minute | default(omit) }}" - hour: "{{ ce_deploy.upgrade_galaxy.hour | default(omit) }}" - day: "{{ ce_deploy.upgrade_galaxy.day | default(omit) }}" - weekday: "{{ ce_deploy.upgrade_galaxy.weekday | default(omit) }}" - month: "{{ ce_deploy.upgrade_galaxy.month | default(omit) }}" - job: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" - state: present - disabled: "{{ ce_deploy.upgrade_galaxy.disabled | default(omit) }}" - become: true - become_user: "{{ ce_deploy.username }}" +- name: Create systemd timer to upgrade mandatory ansible-galaxy collections. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_ce_deploy_ansible_galaxy_mandatory: + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" + timer_user: "{{ ce_deploy.username }}" + timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: ce_deploy.upgrade_galaxy.enabled -- name: Create cron entries to upgrade custom ansible-galaxy roles and collections. - ansible.builtin.cron: - name: "upgrade_ce_deploy_ansible_galaxy_custom" - minute: "{{ ce_deploy.upgrade_galaxy.minute | default(omit) }}" - hour: "{{ ce_deploy.upgrade_galaxy.hour | default(omit) }}" - day: "{{ ce_deploy.upgrade_galaxy.day | default(omit) }}" - weekday: "{{ ce_deploy.upgrade_galaxy.weekday | default(omit) }}" - month: "{{ ce_deploy.upgrade_galaxy.month | default(omit) }}" - job: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" - state: present - disabled: "{{ ce_deploy.upgrade_galaxy.disabled | default(omit) }}" - become: true - become_user: "{{ ce_deploy.username }}" +- name: Create systemd timer to upgrade custom ansible-galaxy collections. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_ce_deploy_ansible_galaxy_custom: + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" + timer_user: "{{ ce_deploy.username }}" + timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: - _ce_deploy_custom_galaxy_requirements.stat.exists - ce_deploy.upgrade_galaxy.enabled diff --git a/roles/ce_dev/README.md b/roles/debian/ce_dev/README.md similarity index 100% rename from roles/ce_dev/README.md rename to roles/debian/ce_dev/README.md diff --git a/roles/ce_dev/tasks/main.yml b/roles/debian/ce_dev/tasks/main.yml similarity index 100% rename from roles/ce_dev/tasks/main.yml rename to roles/debian/ce_dev/tasks/main.yml diff --git a/roles/ce_patcher/README.md b/roles/debian/ce_patcher/README.md similarity index 100% rename from roles/ce_patcher/README.md rename to roles/debian/ce_patcher/README.md diff --git a/roles/ce_patcher/defaults/main.yml b/roles/debian/ce_patcher/defaults/main.yml similarity index 100% rename from roles/ce_patcher/defaults/main.yml rename to roles/debian/ce_patcher/defaults/main.yml diff --git a/roles/ce_patcher/tasks/main.yml b/roles/debian/ce_patcher/tasks/main.yml similarity index 100% rename from roles/ce_patcher/tasks/main.yml rename to roles/debian/ce_patcher/tasks/main.yml diff --git a/roles/ce_provision/README.md b/roles/debian/ce_provision/README.md similarity index 63% rename from roles/ce_provision/README.md rename to roles/debian/ce_provision/README.md index 9149ca698..f73428cbd 100644 --- a/roles/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -12,6 +12,10 @@ _ce_provision: username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" ce_provision: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_provision.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name @@ -27,20 +31,21 @@ ce_provision: config_repository_skip_checkout: false # List of additional groups to add the user to. groups: [] + # Roles downloaded from git repositories that are not available via Ansible Galaxy. + contrib_roles: + - directory: wazuh + repo: https://github.com/wazuh/wazuh-ansible.git + branch: stable + - directory: systemd_timers + repo: https://github.com/vlcty/ansible-systemd-timers.git + branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" - galaxy_roles_directory: "/home/{{ _ce_provision.username }}/.ansible/roles" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/ce_provision/ansible.cfg b/roles/debian/ce_provision/ansible.cfg similarity index 100% rename from roles/ce_provision/ansible.cfg rename to roles/debian/ce_provision/ansible.cfg diff --git a/roles/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml similarity index 60% rename from roles/ce_provision/defaults/main.yml rename to roles/debian/ce_provision/defaults/main.yml index bbda381aa..3281cb118 100644 --- a/roles/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -4,6 +4,10 @@ _ce_provision: username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" ce_provision: + # Location of Ansible installation and components. + venv_path: "/home/{{ _ce_provision.username }}/ansible" + venv_command: /usr/bin/python3.11 -m venv + # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name @@ -19,17 +23,18 @@ ce_provision: config_repository_skip_checkout: false # List of additional groups to add the user to. groups: [] + # Roles downloaded from git repositories that are not available via Ansible Galaxy. + contrib_roles: + - directory: wazuh + repo: https://github.com/wazuh/wazuh-ansible.git + branch: stable + - directory: systemd_timers + repo: https://github.com/vlcty/ansible-systemd-timers.git + branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" - galaxy_roles_directory: "/home/{{ _ce_provision.username }}/.ansible/roles" upgrade_galaxy: enabled: true - command: "/usr/local/bin/ansible-galaxy collection install --force" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true + command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_provision/meta/main.yml b/roles/debian/ce_provision/meta/main.yml new file mode 100644 index 000000000..919e58877 --- /dev/null +++ b/roles/debian/ce_provision/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - role: debian/aws_cli + - role: debian/packer + - role: debian/terraform diff --git a/roles/ce_provision/meta/requirements-10.yml b/roles/debian/ce_provision/meta/requirements-10.yml similarity index 100% rename from roles/ce_provision/meta/requirements-10.yml rename to roles/debian/ce_provision/meta/requirements-10.yml diff --git a/roles/ce_provision/meta/requirements-11.yml b/roles/debian/ce_provision/meta/requirements-11.yml similarity index 100% rename from roles/ce_provision/meta/requirements-11.yml rename to roles/debian/ce_provision/meta/requirements-11.yml diff --git a/roles/ce_provision/meta/requirements-12.yml b/roles/debian/ce_provision/meta/requirements-12.yml similarity index 100% rename from roles/ce_provision/meta/requirements-12.yml rename to roles/debian/ce_provision/meta/requirements-12.yml diff --git a/roles/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml similarity index 64% rename from roles/ce_provision/tasks/main.yml rename to roles/debian/ce_provision/tasks/main.yml index 6b06de759..0eafc7290 100644 --- a/roles/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -1,11 +1,4 @@ --- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - - name: Create the provision group for provisioning. ansible.builtin.group: name: "{{ ce_provision.username }}" @@ -44,6 +37,20 @@ dest: "{{ _ce_provision_data_dir }}" src: "/home/{{ ce_provision.username }}/.ssh/{{ ce_provision.key_name }}" +# Install Python applications. +- name: Set up Python venv variables. + ansible.builtin.set_fact: + _venv_path: "{{ ce_provision.venv_path }}" + _venv_command: "{{ ce_provision.venv_command }}" + +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + +- name: Install python_boto. + ansible.builtin.include_role: + name: debian/python_boto + # This prevent the original var to be re-evaluated when we move things around. - name: Register config repository. ansible.builtin.set_fact: @@ -54,23 +61,16 @@ pkg: ["git", "parallel"] state: present -- name: Ensure dnspython, certifi and pyopenssl are installed with pip3. +- name: Ensure dnspython, certifi and pyopenssl are installed. ansible.builtin.pip: name: - dnspython - certifi - pyopenssl - executable: pip3 - when: ansible_distribution_major_version | int < 12 - -- name: Ensure dnspython, certifi and openssl are installed with apt. - ansible.builtin.apt: - name: - - python3-dnspython - - python3-certifi - - python3-openssl - state: present - when: ansible_distribution_major_version | int >= 12 + virtualenv: "{{ _venv_path }}" + virtualenv_command: "{{ _venv_command }}" + become: true + become_user: "{{ ce_provision.username }}" # This is needed for "pushing" in certain cases. - name: Setup Git identity. @@ -154,56 +154,48 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "ansible-galaxy install -r {{ ce_provision.local_dir }}/roles/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" become: true become_user: "{{ ce_provision.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "ansible-galaxy install -r {{ ce_provision.galaxy_custom_requirements_file }}" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.galaxy_custom_requirements_file }}" become: true become_user: "{{ ce_provision.username }}" when: _ce_provision_custom_galaxy_requirements.stat.exists -# These roles are not currently available via Ansible Galaxy. -- name: Fetch the Wazuh playbooks and roles. +- name: Fetch additional roles not in Ansible Galaxy. ansible.builtin.git: - repo: https://github.com/wazuh/wazuh-ansible.git - dest: "{{ ce_provision.galaxy_roles_directory }}/wazuh-ansible" + repo: "{{ item.repo }}" + dest: "{{ ce_provision.local_dir }}/roles/contrib/{{ item.directory }}" update: true - version: master - become: true - become_user: "{{ ce_provision.username }}" - when: ce_provision.galaxy_roles_directory | length > 0 - -- name: Create cron entries to upgrade mandatory ansible-galaxy collections. - ansible.builtin.cron: - name: "upgrade_ce_provision_ansible_galaxy_mandatory" - minute: "{{ ce_provision.upgrade_galaxy.minute | default(omit) }}" - hour: "{{ ce_provision.upgrade_galaxy.hour | default(omit) }}" - day: "{{ ce_provision.upgrade_galaxy.day | default(omit) }}" - weekday: "{{ ce_provision.upgrade_galaxy.weekday | default(omit) }}" - month: "{{ ce_provision.upgrade_galaxy.month | default(omit) }}" - job: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.local_dir }}/roles/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" - state: present - disabled: "{{ ce_provision.upgrade_galaxy.disabled | default(omit) }}" + version: "{{ item.branch }}" become: true become_user: "{{ ce_provision.username }}" + with_items: "{{ ce_provision.contrib_roles }}" + when: ce_provision.contrib_roles | length > 0 + +- name: Create systemd timer to upgrade mandatory ansible-galaxy collections. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_ce_provision_ansible_galaxy_mandatory: + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" + timer_user: "{{ ce_provision.username }}" + timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: ce_provision.upgrade_galaxy.enabled -- name: Create cron entries to upgrade custom ansible-galaxy collections. - ansible.builtin.cron: - name: "upgrade_ce_provision_ansible_galaxy_custom" - minute: "{{ ce_provision.upgrade_galaxy.minute | default(omit) }}" - hour: "{{ ce_provision.upgrade_galaxy.hour | default(omit) }}" - day: "{{ ce_provision.upgrade_galaxy.day | default(omit) }}" - weekday: "{{ ce_provision.upgrade_galaxy.weekday | default(omit) }}" - month: "{{ ce_provision.upgrade_galaxy.month | default(omit) }}" - job: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.galaxy_custom_requirements_file }}" - state: present - disabled: "{{ ce_provision.upgrade_galaxy.disabled | default(omit) }}" - become: true - become_user: "{{ ce_provision.username }}" +- name: Create systemd timer to upgrade custom ansible-galaxy collections. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_ce_provision_ansible_galaxy_custom: + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.galaxy_custom_requirements_file }}" + timer_user: "{{ ce_provision.username }}" + timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: - _ce_provision_custom_galaxy_requirements.stat.exists - ce_provision.upgrade_galaxy.enabled diff --git a/roles/clamav/README.md b/roles/debian/clamav/README.md similarity index 71% rename from roles/clamav/README.md rename to roles/debian/clamav/README.md index b7e26f3e4..81a888707 100644 --- a/roles/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -1,7 +1,7 @@ # ClamAV This role provides a wrapper for [Jeff Geerling's Ansible role for ClamAV](https://github.com/geerlingguy/ansible-role-clamav). -This role optionally provides cron scripts for routine scanning if you are not running ClamAV in daemon mode. +This role optionally provides systemd timers for routine scanning if you are not running ClamAV in daemon mode. @@ -11,12 +11,9 @@ This role optionally provides cron scripts for routine scanning if you are not r ```yaml --- clamav: - provide_cron: false + create_timer: false server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - cron_minute: "0" # Runs daily at midnight by default. - cron_hour: "0" - # cron_day: "*" - # cron_weekday: "0" # 0-6 for Sunday-Saturday + on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script log_location: /usr/local/clamav/log send_mail: false # Important: will not send any emails by default. diff --git a/roles/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml similarity index 73% rename from roles/clamav/defaults/main.yml rename to roles/debian/clamav/defaults/main.yml index 717a08d4d..651cafde3 100644 --- a/roles/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -1,11 +1,8 @@ --- clamav: - provide_cron: false + create_timer: false server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - cron_minute: "0" # Runs daily at midnight by default. - cron_hour: "0" - # cron_day: "*" - # cron_weekday: "0" # 0-6 for Sunday-Saturday + on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script log_location: /usr/local/clamav/log send_mail: false # Important: will not send any emails by default. diff --git a/roles/clamav/meta/main.yml b/roles/debian/clamav/meta/main.yml similarity index 100% rename from roles/clamav/meta/main.yml rename to roles/debian/clamav/meta/main.yml diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml new file mode 100644 index 000000000..5d27153a8 --- /dev/null +++ b/roles/debian/clamav/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Ensure the ClamAV scripts directory exists. + ansible.builtin.file: + path: "{{ clamav.scripts_location }}" + state: directory + mode: '0755' + +- name: Copy clamscan script to server. + ansible.builtin.template: + src: "clamscan.j2" + dest: "{{ clamav.scripts_location }}/clamscan" + owner: root + group: root + mode: "0755" + +- name: Ensure the ClamAV log directory exists. + ansible.builtin.file: + path: "{{ clamav.log_location }}" + state: directory + mode: '0755' + when: clamav.create_timer + +- name: Set up a ClamAV systemd timer. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + clamav_scan: + timer_command: "{{ clamav.scripts_location }}/clamscan" + timer_OnCalendar: "{{ clamav.on_calendar }}" + when: clamav.create_timer diff --git a/roles/clamav/templates/clamscan.j2 b/roles/debian/clamav/templates/clamscan.j2 similarity index 100% rename from roles/clamav/templates/clamscan.j2 rename to roles/debian/clamav/templates/clamscan.j2 diff --git a/roles/docker_ce/tasks/main.yml b/roles/debian/docker_ce/tasks/main.yml similarity index 100% rename from roles/docker_ce/tasks/main.yml rename to roles/debian/docker_ce/tasks/main.yml diff --git a/roles/docker_compose/defaults/main.yml b/roles/debian/docker_compose/defaults/main.yml similarity index 100% rename from roles/docker_compose/defaults/main.yml rename to roles/debian/docker_compose/defaults/main.yml diff --git a/roles/docker_compose/meta/main.yml b/roles/debian/docker_compose/meta/main.yml similarity index 100% rename from roles/docker_compose/meta/main.yml rename to roles/debian/docker_compose/meta/main.yml diff --git a/roles/docker_compose/tasks/main.yml b/roles/debian/docker_compose/tasks/main.yml similarity index 100% rename from roles/docker_compose/tasks/main.yml rename to roles/debian/docker_compose/tasks/main.yml diff --git a/roles/docker_registry/defaults/main.yml b/roles/debian/docker_registry/defaults/main.yml similarity index 100% rename from roles/docker_registry/defaults/main.yml rename to roles/debian/docker_registry/defaults/main.yml diff --git a/roles/docker_registry/meta/main.yml b/roles/debian/docker_registry/meta/main.yml similarity index 100% rename from roles/docker_registry/meta/main.yml rename to roles/debian/docker_registry/meta/main.yml diff --git a/roles/docker_registry/tasks/main.yml b/roles/debian/docker_registry/tasks/main.yml similarity index 100% rename from roles/docker_registry/tasks/main.yml rename to roles/debian/docker_registry/tasks/main.yml diff --git a/roles/docker_registry/templates/docker-compose.yml.j2 b/roles/debian/docker_registry/templates/docker-compose.yml.j2 similarity index 100% rename from roles/docker_registry/templates/docker-compose.yml.j2 rename to roles/debian/docker_registry/templates/docker-compose.yml.j2 diff --git a/roles/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml similarity index 69% rename from roles/duplicity/defaults/main.yml rename to roles/debian/duplicity/defaults/main.yml index 98fc178cc..603b7611e 100644 --- a/roles/duplicity/defaults/main.yml +++ b/roles/debian/duplicity/defaults/main.yml @@ -21,4 +21,6 @@ duplicity: install_dir: "/opt/duplicity" mail_recipient: "foo@bar.com" retention_period: "12M" - schedule: "0 0 * * *" + # systemd timer settings + create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer + on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/duplicity/meta/main.yml b/roles/debian/duplicity/meta/main.yml similarity index 100% rename from roles/duplicity/meta/main.yml rename to roles/debian/duplicity/meta/main.yml diff --git a/roles/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml similarity index 81% rename from roles/duplicity/tasks/main.yml rename to roles/debian/duplicity/tasks/main.yml index 2fa297dde..dbae642bd 100644 --- a/roles/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -62,13 +62,16 @@ loop_control: loop_var: dir -- name: Copy Duplicity cron config. - ansible.builtin.template: - src: "duplicity-cron.j2" - dest: "/etc/cron.d/duplicity_cron" - owner: root - group: root - mode: 0644 +# @TODO - cannot currently send failure notifications - see https://github.com/codeenigma/ce-provision/issues/1215 +- name: Create systemd timer for Duplicity backup. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + duplicity_backup: + timer_command: /usr/local/bin/duplicity_backup + timer_OnCalendar: "{{ duplicity.on_calendar }}" + when: duplicity.create_timer - name: Trigger overrides ansible.builtin.include_role: diff --git a/roles/duplicity/templates/duplicity_backup.j2 b/roles/debian/duplicity/templates/duplicity_backup.j2 similarity index 100% rename from roles/duplicity/templates/duplicity_backup.j2 rename to roles/debian/duplicity/templates/duplicity_backup.j2 diff --git a/roles/duplicity/templates/duplicity_clean.j2 b/roles/debian/duplicity/templates/duplicity_clean.j2 similarity index 100% rename from roles/duplicity/templates/duplicity_clean.j2 rename to roles/debian/duplicity/templates/duplicity_clean.j2 diff --git a/roles/duplicity/templates/duplicity_restore.j2 b/roles/debian/duplicity/templates/duplicity_restore.j2 similarity index 100% rename from roles/duplicity/templates/duplicity_restore.j2 rename to roles/debian/duplicity/templates/duplicity_restore.j2 diff --git a/roles/duplicity/templates/include-exclude-filelist.j2 b/roles/debian/duplicity/templates/include-exclude-filelist.j2 similarity index 100% rename from roles/duplicity/templates/include-exclude-filelist.j2 rename to roles/debian/duplicity/templates/include-exclude-filelist.j2 diff --git a/roles/firewall_config/README.md b/roles/debian/firewall_config/README.md similarity index 100% rename from roles/firewall_config/README.md rename to roles/debian/firewall_config/README.md diff --git a/roles/firewall_config/defaults/main.yml b/roles/debian/firewall_config/defaults/main.yml similarity index 100% rename from roles/firewall_config/defaults/main.yml rename to roles/debian/firewall_config/defaults/main.yml diff --git a/roles/firewall_config/tasks/main.yml b/roles/debian/firewall_config/tasks/main.yml similarity index 100% rename from roles/firewall_config/tasks/main.yml rename to roles/debian/firewall_config/tasks/main.yml diff --git a/roles/frontail/README.md b/roles/debian/frontail/README.md similarity index 100% rename from roles/frontail/README.md rename to roles/debian/frontail/README.md diff --git a/roles/frontail/defaults/main.yml b/roles/debian/frontail/defaults/main.yml similarity index 100% rename from roles/frontail/defaults/main.yml rename to roles/debian/frontail/defaults/main.yml diff --git a/roles/frontail/meta/main.yml b/roles/debian/frontail/meta/main.yml similarity index 100% rename from roles/frontail/meta/main.yml rename to roles/debian/frontail/meta/main.yml diff --git a/roles/frontail/tasks/main.yml b/roles/debian/frontail/tasks/main.yml similarity index 100% rename from roles/frontail/tasks/main.yml rename to roles/debian/frontail/tasks/main.yml diff --git a/roles/frontail/templates/frontail.service.j2 b/roles/debian/frontail/templates/frontail.service.j2 similarity index 100% rename from roles/frontail/templates/frontail.service.j2 rename to roles/debian/frontail/templates/frontail.service.j2 diff --git a/roles/gitlab/README.md b/roles/debian/gitlab/README.md similarity index 100% rename from roles/gitlab/README.md rename to roles/debian/gitlab/README.md diff --git a/roles/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml similarity index 100% rename from roles/gitlab/defaults/main.yml rename to roles/debian/gitlab/defaults/main.yml diff --git a/roles/gitlab/meta/main.yml b/roles/debian/gitlab/meta/main.yml similarity index 100% rename from roles/gitlab/meta/main.yml rename to roles/debian/gitlab/meta/main.yml diff --git a/roles/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml similarity index 100% rename from roles/gitlab/tasks/main.yml rename to roles/debian/gitlab/tasks/main.yml diff --git a/roles/gitlab/templates/docker-init.sh.j2 b/roles/debian/gitlab/templates/docker-init.sh.j2 similarity index 100% rename from roles/gitlab/templates/docker-init.sh.j2 rename to roles/debian/gitlab/templates/docker-init.sh.j2 diff --git a/roles/gitlab/templates/gitlab-config.rb.j2 b/roles/debian/gitlab/templates/gitlab-config.rb.j2 similarity index 100% rename from roles/gitlab/templates/gitlab-config.rb.j2 rename to roles/debian/gitlab/templates/gitlab-config.rb.j2 diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/debian/gitlab/templates/gitlab.rb.j2 similarity index 100% rename from roles/gitlab/templates/gitlab.rb.j2 rename to roles/debian/gitlab/templates/gitlab.rb.j2 diff --git a/roles/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md similarity index 100% rename from roles/gitlab_runner/README.md rename to roles/debian/gitlab_runner/README.md diff --git a/roles/gitlab_runner/defaults/main.yml b/roles/debian/gitlab_runner/defaults/main.yml similarity index 100% rename from roles/gitlab_runner/defaults/main.yml rename to roles/debian/gitlab_runner/defaults/main.yml diff --git a/roles/gitlab_runner/meta/main.yml b/roles/debian/gitlab_runner/meta/main.yml similarity index 100% rename from roles/gitlab_runner/meta/main.yml rename to roles/debian/gitlab_runner/meta/main.yml diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml similarity index 100% rename from roles/gitlab_runner/tasks/main.yml rename to roles/debian/gitlab_runner/tasks/main.yml diff --git a/roles/gitlab_runner/templates/fargate.toml.j2 b/roles/debian/gitlab_runner/templates/fargate.toml.j2 similarity index 100% rename from roles/gitlab_runner/templates/fargate.toml.j2 rename to roles/debian/gitlab_runner/templates/fargate.toml.j2 diff --git a/roles/gitlab_runner/templates/override.conf.j2 b/roles/debian/gitlab_runner/templates/override.conf.j2 similarity index 100% rename from roles/gitlab_runner/templates/override.conf.j2 rename to roles/debian/gitlab_runner/templates/override.conf.j2 diff --git a/roles/gpg_key/README.md b/roles/debian/gpg_key/README.md similarity index 100% rename from roles/gpg_key/README.md rename to roles/debian/gpg_key/README.md diff --git a/roles/gpg_key/defaults/main.yml b/roles/debian/gpg_key/defaults/main.yml similarity index 100% rename from roles/gpg_key/defaults/main.yml rename to roles/debian/gpg_key/defaults/main.yml diff --git a/roles/gpg_key/tasks/gpg.yml b/roles/debian/gpg_key/tasks/gpg.yml similarity index 100% rename from roles/gpg_key/tasks/gpg.yml rename to roles/debian/gpg_key/tasks/gpg.yml diff --git a/roles/gpg_key/tasks/main.yml b/roles/debian/gpg_key/tasks/main.yml similarity index 100% rename from roles/gpg_key/tasks/main.yml rename to roles/debian/gpg_key/tasks/main.yml diff --git a/roles/gpg_key/templates/gpg.j2 b/roles/debian/gpg_key/templates/gpg.j2 similarity index 100% rename from roles/gpg_key/templates/gpg.j2 rename to roles/debian/gpg_key/templates/gpg.j2 diff --git a/roles/haproxy/README.md b/roles/debian/haproxy/README.md similarity index 100% rename from roles/haproxy/README.md rename to roles/debian/haproxy/README.md diff --git a/roles/haproxy/defaults/main.yml b/roles/debian/haproxy/defaults/main.yml similarity index 100% rename from roles/haproxy/defaults/main.yml rename to roles/debian/haproxy/defaults/main.yml diff --git a/roles/haproxy/tasks/main.yml b/roles/debian/haproxy/tasks/main.yml similarity index 100% rename from roles/haproxy/tasks/main.yml rename to roles/debian/haproxy/tasks/main.yml diff --git a/roles/haproxy/templates/haproxy-ssl-passthru.cfg.j2 b/roles/debian/haproxy/templates/haproxy-ssl-passthru.cfg.j2 similarity index 100% rename from roles/haproxy/templates/haproxy-ssl-passthru.cfg.j2 rename to roles/debian/haproxy/templates/haproxy-ssl-passthru.cfg.j2 diff --git a/roles/haproxy/templates/haproxy-ssl-terminate.cfg.j2 b/roles/debian/haproxy/templates/haproxy-ssl-terminate.cfg.j2 similarity index 100% rename from roles/haproxy/templates/haproxy-ssl-terminate.cfg.j2 rename to roles/debian/haproxy/templates/haproxy-ssl-terminate.cfg.j2 diff --git a/roles/haproxy/templates/startup.sh.j2 b/roles/debian/haproxy/templates/startup.sh.j2 similarity index 100% rename from roles/haproxy/templates/startup.sh.j2 rename to roles/debian/haproxy/templates/startup.sh.j2 diff --git a/roles/hosts/README.md b/roles/debian/hosts/README.md similarity index 100% rename from roles/hosts/README.md rename to roles/debian/hosts/README.md diff --git a/roles/hosts/defaults/main.yml b/roles/debian/hosts/defaults/main.yml similarity index 100% rename from roles/hosts/defaults/main.yml rename to roles/debian/hosts/defaults/main.yml diff --git a/roles/hosts/handlers/main.yml b/roles/debian/hosts/handlers/main.yml similarity index 100% rename from roles/hosts/handlers/main.yml rename to roles/debian/hosts/handlers/main.yml diff --git a/roles/hosts/tasks/main.yml b/roles/debian/hosts/tasks/main.yml similarity index 100% rename from roles/hosts/tasks/main.yml rename to roles/debian/hosts/tasks/main.yml diff --git a/roles/hosts/templates/etc_hosts.j2 b/roles/debian/hosts/templates/etc_hosts.j2 similarity index 100% rename from roles/hosts/templates/etc_hosts.j2 rename to roles/debian/hosts/templates/etc_hosts.j2 diff --git a/roles/hosts/templates/hostname.j2 b/roles/debian/hosts/templates/hostname.j2 similarity index 100% rename from roles/hosts/templates/hostname.j2 rename to roles/debian/hosts/templates/hostname.j2 diff --git a/roles/hosts/vars/main.yml b/roles/debian/hosts/vars/main.yml similarity index 100% rename from roles/hosts/vars/main.yml rename to roles/debian/hosts/vars/main.yml diff --git a/roles/jenkins/README.md b/roles/debian/jenkins/README.md similarity index 81% rename from roles/jenkins/README.md rename to roles/debian/jenkins/README.md index 64a10778e..c4bc917dc 100644 --- a/roles/jenkins/README.md +++ b/roles/debian/jenkins/README.md @@ -35,6 +35,8 @@ jenkins: ldap_binddn: "{{ ldap_client.binddn }}" ldap_bindpw: "{{ ldap_client.bindpw }}" mailto: "admins@example.com" + # daily key renewal execution with systemd timer + on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/jenkins/defaults/main.yml b/roles/debian/jenkins/defaults/main.yml similarity index 79% rename from roles/jenkins/defaults/main.yml rename to roles/debian/jenkins/defaults/main.yml index 402e221b9..34cc855e5 100644 --- a/roles/jenkins/defaults/main.yml +++ b/roles/debian/jenkins/defaults/main.yml @@ -27,3 +27,5 @@ jenkins: ldap_binddn: "{{ ldap_client.binddn }}" ldap_bindpw: "{{ ldap_client.bindpw }}" mailto: "admins@example.com" + # daily key renewal execution with systemd timer + on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/jenkins/handlers/main.yml b/roles/debian/jenkins/handlers/main.yml similarity index 100% rename from roles/jenkins/handlers/main.yml rename to roles/debian/jenkins/handlers/main.yml diff --git a/roles/jenkins/meta/main.yml b/roles/debian/jenkins/meta/main.yml similarity index 100% rename from roles/jenkins/meta/main.yml rename to roles/debian/jenkins/meta/main.yml diff --git a/roles/jenkins/tasks/main.yml b/roles/debian/jenkins/tasks/main.yml similarity index 90% rename from roles/jenkins/tasks/main.yml rename to roles/debian/jenkins/tasks/main.yml index adce37e62..24d1ff47e 100644 --- a/roles/jenkins/tasks/main.yml +++ b/roles/debian/jenkins/tasks/main.yml @@ -106,12 +106,23 @@ validate_certs: false dest: /opt/jenkins-cli.jar -- name: Add Jenkins cert renewal job. +- name: Add Jenkins cert renewal script. ansible.builtin.template: src: "jenkins-cert-renewal.sh.j2" - dest: /etc/cron.daily/jenkins-cert-renewal + dest: /usr/local/sbin/jenkins-cert-renewal + owner: root + group: root mode: 0755 +- name: Create systemd timer for Jenkins cert renewal. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + jenkins_cert_renewal: + timer_command: /usr/local/sbin/jenkins-cert-renewal + timer_OnCalendar: "{{ jenkins.on_calendar }}" + - name: Install Jenkins Plugins. ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }} -noCertificateCheck -s https://localhost:{{ jenkins.listen_https_port }}/ install-plugin {{ jenkins.plugins | join(' ') }}" become: true diff --git a/roles/jenkins/templates/basic-security.groovy.j2 b/roles/debian/jenkins/templates/basic-security.groovy.j2 similarity index 100% rename from roles/jenkins/templates/basic-security.groovy.j2 rename to roles/debian/jenkins/templates/basic-security.groovy.j2 diff --git a/roles/jenkins/templates/jenkins-cert-renewal.sh.j2 b/roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 similarity index 100% rename from roles/jenkins/templates/jenkins-cert-renewal.sh.j2 rename to roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 diff --git a/roles/jenkins/templates/jenkins.j2 b/roles/debian/jenkins/templates/jenkins.j2 similarity index 100% rename from roles/jenkins/templates/jenkins.j2 rename to roles/debian/jenkins/templates/jenkins.j2 diff --git a/roles/jitsi/README.md b/roles/debian/jitsi/README.md similarity index 100% rename from roles/jitsi/README.md rename to roles/debian/jitsi/README.md diff --git a/roles/jitsi/defaults/main.yml b/roles/debian/jitsi/defaults/main.yml similarity index 100% rename from roles/jitsi/defaults/main.yml rename to roles/debian/jitsi/defaults/main.yml diff --git a/roles/jitsi/tasks/main.yml b/roles/debian/jitsi/tasks/main.yml similarity index 100% rename from roles/jitsi/tasks/main.yml rename to roles/debian/jitsi/tasks/main.yml diff --git a/roles/ldap_server/README.md b/roles/debian/ldap_server/README.md similarity index 97% rename from roles/ldap_server/README.md rename to roles/debian/ldap_server/README.md index 970857bec..7fb78adfb 100644 --- a/roles/ldap_server/README.md +++ b/roles/debian/ldap_server/README.md @@ -82,8 +82,7 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak - backup_minute: "45" - backup_hour: "23" + on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. # If you use 'letsencrypt' SSL handling then the LDAP TLS settings in your imported config should be as follows: diff --git a/roles/ldap_server/defaults/main.yml b/roles/debian/ldap_server/defaults/main.yml similarity index 94% rename from roles/ldap_server/defaults/main.yml rename to roles/debian/ldap_server/defaults/main.yml index f75ce410f..981d6b995 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/debian/ldap_server/defaults/main.yml @@ -16,8 +16,7 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak - backup_minute: "45" - backup_hour: "23" + on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. # If you use 'letsencrypt' SSL handling then the LDAP TLS settings in your imported config should be as follows: diff --git a/roles/debian/ldap_server/meta/main.yml b/roles/debian/ldap_server/meta/main.yml new file mode 100644 index 000000000..551567003 --- /dev/null +++ b/roles/debian/ldap_server/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/python_common diff --git a/roles/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml similarity index 90% rename from roles/ldap_server/tasks/main.yml rename to roles/debian/ldap_server/tasks/main.yml index b85cbcdfd..e8c24d13c 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -1,11 +1,4 @@ --- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - - name: Stop slapd service. ansible.builtin.include_role: name: process_manager @@ -190,12 +183,12 @@ mode: 0755 when: ldap_server.config.backup -- name: Create cron job for slapd backups. - ansible.builtin.cron: - name: "ldap backup" - minute: "{{ ldap_server.config.backup_minute }}" - hour: "{{ ldap_server.config.backup_hour }}" - job: "/usr/local/bin/slap-bak && find /opt/slap-bak/ -type f -mtime +60 -print0 | xargs -0 -r rm" - cron_file: slapd-backup - user: root - when: ldap_server.config.backup +- name: Create systemd timer for slapd backups. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + slapd_backups: + timer_command: "/usr/local/bin/slap-bak && find /opt/slap-bak/ -type f -mtime +60 -print0 | xargs -0 -r rm" + timer_OnCalendar: "{{ ldap_server.config.on_calendar }}" + when: ssl.autorenew diff --git a/roles/ldap_server/tasks/replication.yml b/roles/debian/ldap_server/tasks/replication.yml similarity index 100% rename from roles/ldap_server/tasks/replication.yml rename to roles/debian/ldap_server/tasks/replication.yml diff --git a/roles/ldap_server/templates/slap-bak.j2 b/roles/debian/ldap_server/templates/slap-bak.j2 similarity index 100% rename from roles/ldap_server/templates/slap-bak.j2 rename to roles/debian/ldap_server/templates/slap-bak.j2 diff --git a/roles/ldap_server/templates/slapd.j2 b/roles/debian/ldap_server/templates/slapd.j2 similarity index 100% rename from roles/ldap_server/templates/slapd.j2 rename to roles/debian/ldap_server/templates/slapd.j2 diff --git a/roles/lhci/README.md b/roles/debian/lhci/README.md similarity index 100% rename from roles/lhci/README.md rename to roles/debian/lhci/README.md diff --git a/roles/lhci/defaults/main.yml b/roles/debian/lhci/defaults/main.yml similarity index 100% rename from roles/lhci/defaults/main.yml rename to roles/debian/lhci/defaults/main.yml diff --git a/roles/lhci/meta/main.yml b/roles/debian/lhci/meta/main.yml similarity index 100% rename from roles/lhci/meta/main.yml rename to roles/debian/lhci/meta/main.yml diff --git a/roles/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml similarity index 100% rename from roles/lhci/tasks/main.yml rename to roles/debian/lhci/tasks/main.yml diff --git a/roles/locales/defaults/main.yml b/roles/debian/locales/defaults/main.yml similarity index 100% rename from roles/locales/defaults/main.yml rename to roles/debian/locales/defaults/main.yml diff --git a/roles/locales/tasks/main.yml b/roles/debian/locales/tasks/main.yml similarity index 100% rename from roles/locales/tasks/main.yml rename to roles/debian/locales/tasks/main.yml diff --git a/roles/locales/templates/locale.gen.j2 b/roles/debian/locales/templates/locale.gen.j2 similarity index 100% rename from roles/locales/templates/locale.gen.j2 rename to roles/debian/locales/templates/locale.gen.j2 diff --git a/roles/locales/templates/locale.j2 b/roles/debian/locales/templates/locale.j2 similarity index 100% rename from roles/locales/templates/locale.j2 rename to roles/debian/locales/templates/locale.j2 diff --git a/roles/memcached/defaults/main.yml b/roles/debian/memcached/defaults/main.yml similarity index 100% rename from roles/memcached/defaults/main.yml rename to roles/debian/memcached/defaults/main.yml diff --git a/roles/memcached/tasks/main.yml b/roles/debian/memcached/tasks/main.yml similarity index 100% rename from roles/memcached/tasks/main.yml rename to roles/debian/memcached/tasks/main.yml diff --git a/roles/memcached/templates/memcached.conf.j2 b/roles/debian/memcached/templates/memcached.conf.j2 similarity index 100% rename from roles/memcached/templates/memcached.conf.j2 rename to roles/debian/memcached/templates/memcached.conf.j2 diff --git a/roles/memcached/templates/startup.sh.j2 b/roles/debian/memcached/templates/startup.sh.j2 similarity index 100% rename from roles/memcached/templates/startup.sh.j2 rename to roles/debian/memcached/templates/startup.sh.j2 diff --git a/roles/mount_sync/README.md b/roles/debian/mount_sync/README.md similarity index 100% rename from roles/mount_sync/README.md rename to roles/debian/mount_sync/README.md diff --git a/roles/mount_sync/defaults/main.yml b/roles/debian/mount_sync/defaults/main.yml similarity index 100% rename from roles/mount_sync/defaults/main.yml rename to roles/debian/mount_sync/defaults/main.yml diff --git a/roles/mount_sync/meta/main.yml b/roles/debian/mount_sync/meta/main.yml similarity index 100% rename from roles/mount_sync/meta/main.yml rename to roles/debian/mount_sync/meta/main.yml diff --git a/roles/mount_sync/tasks/main.yml b/roles/debian/mount_sync/tasks/main.yml similarity index 100% rename from roles/mount_sync/tasks/main.yml rename to roles/debian/mount_sync/tasks/main.yml diff --git a/roles/mount_sync/templates/init-squashfs.sh.j2 b/roles/debian/mount_sync/templates/init-squashfs.sh.j2 similarity index 100% rename from roles/mount_sync/templates/init-squashfs.sh.j2 rename to roles/debian/mount_sync/templates/init-squashfs.sh.j2 diff --git a/roles/mount_sync/templates/init-tarballs.sh.j2 b/roles/debian/mount_sync/templates/init-tarballs.sh.j2 similarity index 100% rename from roles/mount_sync/templates/init-tarballs.sh.j2 rename to roles/debian/mount_sync/templates/init-tarballs.sh.j2 diff --git a/roles/mysql_client/README.md b/roles/debian/mysql_client/README.md similarity index 100% rename from roles/mysql_client/README.md rename to roles/debian/mysql_client/README.md diff --git a/roles/mysql_client/defaults/main.yml b/roles/debian/mysql_client/defaults/main.yml similarity index 100% rename from roles/mysql_client/defaults/main.yml rename to roles/debian/mysql_client/defaults/main.yml diff --git a/roles/debian/mysql_client/meta/main.yml b/roles/debian/mysql_client/meta/main.yml new file mode 100644 index 000000000..551567003 --- /dev/null +++ b/roles/debian/mysql_client/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/python_common diff --git a/roles/mysql_client/tasks/main.yml b/roles/debian/mysql_client/tasks/main.yml similarity index 100% rename from roles/mysql_client/tasks/main.yml rename to roles/debian/mysql_client/tasks/main.yml diff --git a/roles/mysql_client/templates/mysql.creds.j2 b/roles/debian/mysql_client/templates/mysql.creds.j2 similarity index 100% rename from roles/mysql_client/templates/mysql.creds.j2 rename to roles/debian/mysql_client/templates/mysql.creds.j2 diff --git a/roles/mysql_server_oracle_ce/defaults/main.yml b/roles/debian/mysql_server_mariadb/defaults/main.yml similarity index 100% rename from roles/mysql_server_oracle_ce/defaults/main.yml rename to roles/debian/mysql_server_mariadb/defaults/main.yml diff --git a/roles/mysql_server_mariadb/tasks/main.yml b/roles/debian/mysql_server_mariadb/tasks/main.yml similarity index 100% rename from roles/mysql_server_mariadb/tasks/main.yml rename to roles/debian/mysql_server_mariadb/tasks/main.yml diff --git a/roles/mysql_server_mariadb/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 similarity index 100% rename from roles/mysql_server_mariadb/templates/mysql_dev.cnf.j2 rename to roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 diff --git a/roles/mysql_server_oracle_ce/README.md b/roles/debian/mysql_server_oracle_ce/README.md similarity index 100% rename from roles/mysql_server_oracle_ce/README.md rename to roles/debian/mysql_server_oracle_ce/README.md diff --git a/roles/debian/mysql_server_oracle_ce/defaults/main.yml b/roles/debian/mysql_server_oracle_ce/defaults/main.yml new file mode 100644 index 000000000..67c066cf6 --- /dev/null +++ b/roles/debian/mysql_server_oracle_ce/defaults/main.yml @@ -0,0 +1,4 @@ +--- +mysql_long_query_time: 4 +mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html +mysql_server_oracle_ce_key_server: pgp.mit.edu \ No newline at end of file diff --git a/roles/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml similarity index 100% rename from roles/mysql_server_oracle_ce/tasks/main.yml rename to roles/debian/mysql_server_oracle_ce/tasks/main.yml diff --git a/roles/mysql_server_oracle_ce/templates/mysql.pref.j2 b/roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 similarity index 100% rename from roles/mysql_server_oracle_ce/templates/mysql.pref.j2 rename to roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 diff --git a/roles/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 similarity index 100% rename from roles/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 rename to roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 diff --git a/roles/mysql_server_oracle_ce/templates/startup.sh.j2 b/roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 similarity index 100% rename from roles/mysql_server_oracle_ce/templates/startup.sh.j2 rename to roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 diff --git a/roles/nginx/README.md b/roles/debian/nginx/README.md similarity index 100% rename from roles/nginx/README.md rename to roles/debian/nginx/README.md diff --git a/roles/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml similarity index 100% rename from roles/nginx/defaults/main.yml rename to roles/debian/nginx/defaults/main.yml diff --git a/roles/debian/nginx/meta/main.yml b/roles/debian/nginx/meta/main.yml new file mode 100644 index 000000000..551567003 --- /dev/null +++ b/roles/debian/nginx/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/python_common diff --git a/roles/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml similarity index 100% rename from roles/nginx/tasks/domain.yml rename to roles/debian/nginx/tasks/domain.yml diff --git a/roles/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml similarity index 100% rename from roles/nginx/tasks/main.yml rename to roles/debian/nginx/tasks/main.yml diff --git a/roles/nginx/templates/_common.j2 b/roles/debian/nginx/templates/_common.j2 similarity index 100% rename from roles/nginx/templates/_common.j2 rename to roles/debian/nginx/templates/_common.j2 diff --git a/roles/nginx/templates/cloudwatch-main.json.j2 b/roles/debian/nginx/templates/cloudwatch-main.json.j2 similarity index 100% rename from roles/nginx/templates/cloudwatch-main.json.j2 rename to roles/debian/nginx/templates/cloudwatch-main.json.j2 diff --git a/roles/nginx/templates/cloudwatch-vhost.json.j2 b/roles/debian/nginx/templates/cloudwatch-vhost.json.j2 similarity index 100% rename from roles/nginx/templates/cloudwatch-vhost.json.j2 rename to roles/debian/nginx/templates/cloudwatch-vhost.json.j2 diff --git a/roles/nginx/templates/custom.j2 b/roles/debian/nginx/templates/custom.j2 similarity index 100% rename from roles/nginx/templates/custom.j2 rename to roles/debian/nginx/templates/custom.j2 diff --git a/roles/nginx/templates/docker_registry.j2 b/roles/debian/nginx/templates/docker_registry.j2 similarity index 100% rename from roles/nginx/templates/docker_registry.j2 rename to roles/debian/nginx/templates/docker_registry.j2 diff --git a/roles/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 similarity index 100% rename from roles/nginx/templates/drupal10.j2 rename to roles/debian/nginx/templates/drupal10.j2 diff --git a/roles/nginx/templates/drupal7.j2 b/roles/debian/nginx/templates/drupal7.j2 similarity index 100% rename from roles/nginx/templates/drupal7.j2 rename to roles/debian/nginx/templates/drupal7.j2 diff --git a/roles/nginx/templates/drupal8.j2 b/roles/debian/nginx/templates/drupal8.j2 similarity index 100% rename from roles/nginx/templates/drupal8.j2 rename to roles/debian/nginx/templates/drupal8.j2 diff --git a/roles/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 similarity index 100% rename from roles/nginx/templates/drupal_common.j2 rename to roles/debian/nginx/templates/drupal_common.j2 diff --git a/roles/nginx/templates/flat.j2 b/roles/debian/nginx/templates/flat.j2 similarity index 100% rename from roles/nginx/templates/flat.j2 rename to roles/debian/nginx/templates/flat.j2 diff --git a/roles/nginx/templates/maintenance-vhosts.j2 b/roles/debian/nginx/templates/maintenance-vhosts.j2 similarity index 100% rename from roles/nginx/templates/maintenance-vhosts.j2 rename to roles/debian/nginx/templates/maintenance-vhosts.j2 diff --git a/roles/nginx/templates/maintenance.html.j2 b/roles/debian/nginx/templates/maintenance.html.j2 similarity index 100% rename from roles/nginx/templates/maintenance.html.j2 rename to roles/debian/nginx/templates/maintenance.html.j2 diff --git a/roles/nginx/templates/matomo.j2 b/roles/debian/nginx/templates/matomo.j2 similarity index 100% rename from roles/nginx/templates/matomo.j2 rename to roles/debian/nginx/templates/matomo.j2 diff --git a/roles/nginx/templates/mautic.j2 b/roles/debian/nginx/templates/mautic.j2 similarity index 100% rename from roles/nginx/templates/mautic.j2 rename to roles/debian/nginx/templates/mautic.j2 diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/debian/nginx/templates/nginx.conf.j2 similarity index 100% rename from roles/nginx/templates/nginx.conf.j2 rename to roles/debian/nginx/templates/nginx.conf.j2 diff --git a/roles/nginx/templates/proxy.j2 b/roles/debian/nginx/templates/proxy.j2 similarity index 100% rename from roles/nginx/templates/proxy.j2 rename to roles/debian/nginx/templates/proxy.j2 diff --git a/roles/nginx/templates/simplesamlphp.j2 b/roles/debian/nginx/templates/simplesamlphp.j2 similarity index 100% rename from roles/nginx/templates/simplesamlphp.j2 rename to roles/debian/nginx/templates/simplesamlphp.j2 diff --git a/roles/nginx/templates/symfony3.j2 b/roles/debian/nginx/templates/symfony3.j2 similarity index 100% rename from roles/nginx/templates/symfony3.j2 rename to roles/debian/nginx/templates/symfony3.j2 diff --git a/roles/nginx/templates/symfony4.j2 b/roles/debian/nginx/templates/symfony4.j2 similarity index 100% rename from roles/nginx/templates/symfony4.j2 rename to roles/debian/nginx/templates/symfony4.j2 diff --git a/roles/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 similarity index 100% rename from roles/nginx/templates/vhost_letsencrypt.j2 rename to roles/debian/nginx/templates/vhost_letsencrypt.j2 diff --git a/roles/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 similarity index 100% rename from roles/nginx/templates/vhosts.j2 rename to roles/debian/nginx/templates/vhosts.j2 diff --git a/roles/nginx/templates/wordpress.j2 b/roles/debian/nginx/templates/wordpress.j2 similarity index 100% rename from roles/nginx/templates/wordpress.j2 rename to roles/debian/nginx/templates/wordpress.j2 diff --git a/roles/nodejs/README.md b/roles/debian/nodejs/README.md similarity index 100% rename from roles/nodejs/README.md rename to roles/debian/nodejs/README.md diff --git a/roles/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml similarity index 100% rename from roles/nodejs/defaults/main.yml rename to roles/debian/nodejs/defaults/main.yml diff --git a/roles/nodejs/meta/main.yml b/roles/debian/nodejs/meta/main.yml similarity index 100% rename from roles/nodejs/meta/main.yml rename to roles/debian/nodejs/meta/main.yml diff --git a/roles/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml similarity index 100% rename from roles/nodejs/tasks/main.yml rename to roles/debian/nodejs/tasks/main.yml diff --git a/roles/nodejs/templates/nodesource.pref.j2 b/roles/debian/nodejs/templates/nodesource.pref.j2 similarity index 100% rename from roles/nodejs/templates/nodesource.pref.j2 rename to roles/debian/nodejs/templates/nodesource.pref.j2 diff --git a/roles/openjdk/defaults/main.yml b/roles/debian/openjdk/defaults/main.yml similarity index 100% rename from roles/openjdk/defaults/main.yml rename to roles/debian/openjdk/defaults/main.yml diff --git a/roles/openjdk/tasks/main.yml b/roles/debian/openjdk/tasks/main.yml similarity index 100% rename from roles/openjdk/tasks/main.yml rename to roles/debian/openjdk/tasks/main.yml diff --git a/roles/openvpn_config/README.md b/roles/debian/openvpn_config/README.md similarity index 100% rename from roles/openvpn_config/README.md rename to roles/debian/openvpn_config/README.md diff --git a/roles/openvpn_config/defaults/main.yml b/roles/debian/openvpn_config/defaults/main.yml similarity index 100% rename from roles/openvpn_config/defaults/main.yml rename to roles/debian/openvpn_config/defaults/main.yml diff --git a/roles/openvpn_config/tasks/main.yml b/roles/debian/openvpn_config/tasks/main.yml similarity index 100% rename from roles/openvpn_config/tasks/main.yml rename to roles/debian/openvpn_config/tasks/main.yml diff --git a/roles/openvpn_config/templates/auth-ldap.conf.j2 b/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 similarity index 100% rename from roles/openvpn_config/templates/auth-ldap.conf.j2 rename to roles/debian/openvpn_config/templates/auth-ldap.conf.j2 diff --git a/roles/openvpn_config/templates/openvpn.j2 b/roles/debian/openvpn_config/templates/openvpn.j2 similarity index 100% rename from roles/openvpn_config/templates/openvpn.j2 rename to roles/debian/openvpn_config/templates/openvpn.j2 diff --git a/roles/openvpn_config/templates/vars.j2 b/roles/debian/openvpn_config/templates/vars.j2 similarity index 100% rename from roles/openvpn_config/templates/vars.j2 rename to roles/debian/openvpn_config/templates/vars.j2 diff --git a/roles/ossec/README.md b/roles/debian/ossec/README.md similarity index 100% rename from roles/ossec/README.md rename to roles/debian/ossec/README.md diff --git a/roles/ossec/defaults/main.yml b/roles/debian/ossec/defaults/main.yml similarity index 100% rename from roles/ossec/defaults/main.yml rename to roles/debian/ossec/defaults/main.yml diff --git a/roles/ossec/files/local_rules.xml b/roles/debian/ossec/files/local_rules.xml similarity index 100% rename from roles/ossec/files/local_rules.xml rename to roles/debian/ossec/files/local_rules.xml diff --git a/roles/ossec/files/ossec-client-logrotate b/roles/debian/ossec/files/ossec-client-logrotate similarity index 100% rename from roles/ossec/files/ossec-client-logrotate rename to roles/debian/ossec/files/ossec-client-logrotate diff --git a/roles/ossec/handlers/main.yml b/roles/debian/ossec/handlers/main.yml similarity index 100% rename from roles/ossec/handlers/main.yml rename to roles/debian/ossec/handlers/main.yml diff --git a/roles/ossec/tasks/main.yml b/roles/debian/ossec/tasks/main.yml similarity index 100% rename from roles/ossec/tasks/main.yml rename to roles/debian/ossec/tasks/main.yml diff --git a/roles/ossec/tasks/ossec-client.yml b/roles/debian/ossec/tasks/ossec-client.yml similarity index 100% rename from roles/ossec/tasks/ossec-client.yml rename to roles/debian/ossec/tasks/ossec-client.yml diff --git a/roles/ossec/tasks/ossec-server.yml b/roles/debian/ossec/tasks/ossec-server.yml similarity index 71% rename from roles/ossec/tasks/ossec-server.yml rename to roles/debian/ossec/tasks/ossec-server.yml index 6aa60b26a..62ec8e174 100644 --- a/roles/ossec/tasks/ossec-server.yml +++ b/roles/debian/ossec/tasks/ossec-server.yml @@ -7,15 +7,17 @@ state: present update_cache: true -- name: Set ossec-watchdog cron - ansible.builtin.copy: - src: "ossec-watchdog-cron" - dest: "/etc/cron.d/ossec_watchdog" - owner: root - group: root - mode: "0644" +# systemd timer that starts the ossec-watchdog 1 minute after server start up +- name: Set ossec-watchdog systemd timer. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + ossec_watchdog: + timer_command: "nohup /usr/local/bin/ossec-watchdog > /tmp/ossec-watchdog.log" + timer_OnStartupSec: 1m -- name: Set ossec-watchdog script +- name: Set ossec-watchdog script. ansible.builtin.template: src: "ossec_watchdog.j2" dest: "/usr/local/bin/ossec-watchdog" @@ -23,7 +25,7 @@ group: root mode: "0755" -- name: Copy OSSEC rules +- name: Copy OSSEC rules. ansible.builtin.copy: src: "{{ item }}" dest: "/var/ossec/rules/" diff --git a/roles/ossec/templates/authd.pass.j2 b/roles/debian/ossec/templates/authd.pass.j2 similarity index 100% rename from roles/ossec/templates/authd.pass.j2 rename to roles/debian/ossec/templates/authd.pass.j2 diff --git a/roles/ossec/templates/ossec.conf.j2 b/roles/debian/ossec/templates/ossec.conf.j2 similarity index 100% rename from roles/ossec/templates/ossec.conf.j2 rename to roles/debian/ossec/templates/ossec.conf.j2 diff --git a/roles/ossec/templates/ossec_watchdog.j2 b/roles/debian/ossec/templates/ossec_watchdog.j2 similarity index 100% rename from roles/ossec/templates/ossec_watchdog.j2 rename to roles/debian/ossec/templates/ossec_watchdog.j2 diff --git a/roles/packer/README.md b/roles/debian/packer/README.md similarity index 100% rename from roles/packer/README.md rename to roles/debian/packer/README.md diff --git a/roles/packer/defaults/main.yml b/roles/debian/packer/defaults/main.yml similarity index 100% rename from roles/packer/defaults/main.yml rename to roles/debian/packer/defaults/main.yml diff --git a/roles/packer/tasks/main.yml b/roles/debian/packer/tasks/main.yml similarity index 100% rename from roles/packer/tasks/main.yml rename to roles/debian/packer/tasks/main.yml diff --git a/roles/pam_ldap/defaults/main.yml b/roles/debian/pam_ldap/defaults/main.yml similarity index 100% rename from roles/pam_ldap/defaults/main.yml rename to roles/debian/pam_ldap/defaults/main.yml diff --git a/roles/pam_ldap/files/common-account b/roles/debian/pam_ldap/files/common-account similarity index 100% rename from roles/pam_ldap/files/common-account rename to roles/debian/pam_ldap/files/common-account diff --git a/roles/pam_ldap/files/common-auth b/roles/debian/pam_ldap/files/common-auth similarity index 100% rename from roles/pam_ldap/files/common-auth rename to roles/debian/pam_ldap/files/common-auth diff --git a/roles/pam_ldap/files/common-password b/roles/debian/pam_ldap/files/common-password similarity index 100% rename from roles/pam_ldap/files/common-password rename to roles/debian/pam_ldap/files/common-password diff --git a/roles/pam_ldap/files/common-session b/roles/debian/pam_ldap/files/common-session similarity index 100% rename from roles/pam_ldap/files/common-session rename to roles/debian/pam_ldap/files/common-session diff --git a/roles/pam_ldap/files/common-session-noninteractive b/roles/debian/pam_ldap/files/common-session-noninteractive similarity index 100% rename from roles/pam_ldap/files/common-session-noninteractive rename to roles/debian/pam_ldap/files/common-session-noninteractive diff --git a/roles/pam_ldap/tasks/main.yml b/roles/debian/pam_ldap/tasks/main.yml similarity index 100% rename from roles/pam_ldap/tasks/main.yml rename to roles/debian/pam_ldap/tasks/main.yml diff --git a/roles/pam_ldap/templates/ldap-bindpw.j2 b/roles/debian/pam_ldap/templates/ldap-bindpw.j2 similarity index 100% rename from roles/pam_ldap/templates/ldap-bindpw.j2 rename to roles/debian/pam_ldap/templates/ldap-bindpw.j2 diff --git a/roles/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2 similarity index 100% rename from roles/pam_ldap/templates/ldap.conf.j2 rename to roles/debian/pam_ldap/templates/ldap.conf.j2 diff --git a/roles/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2 similarity index 100% rename from roles/pam_ldap/templates/nslcd.conf.j2 rename to roles/debian/pam_ldap/templates/nslcd.conf.j2 diff --git a/roles/pam_ldap/templates/nsswitch.conf.j2 b/roles/debian/pam_ldap/templates/nsswitch.conf.j2 similarity index 100% rename from roles/pam_ldap/templates/nsswitch.conf.j2 rename to roles/debian/pam_ldap/templates/nsswitch.conf.j2 diff --git a/roles/pam_ldap/templates/ssh-getkey-ldap-wrapper.sh.j2 b/roles/debian/pam_ldap/templates/ssh-getkey-ldap-wrapper.sh.j2 similarity index 100% rename from roles/pam_ldap/templates/ssh-getkey-ldap-wrapper.sh.j2 rename to roles/debian/pam_ldap/templates/ssh-getkey-ldap-wrapper.sh.j2 diff --git a/roles/pam_ldap/templates/sudo-ldap.conf.j2 b/roles/debian/pam_ldap/templates/sudo-ldap.conf.j2 similarity index 100% rename from roles/pam_ldap/templates/sudo-ldap.conf.j2 rename to roles/debian/pam_ldap/templates/sudo-ldap.conf.j2 diff --git a/roles/pam_linotp/defaults/main.yml b/roles/debian/pam_linotp/defaults/main.yml similarity index 100% rename from roles/pam_linotp/defaults/main.yml rename to roles/debian/pam_linotp/defaults/main.yml diff --git a/roles/pam_linotp/tasks/main.yml b/roles/debian/pam_linotp/tasks/main.yml similarity index 100% rename from roles/pam_linotp/tasks/main.yml rename to roles/debian/pam_linotp/tasks/main.yml diff --git a/roles/pam_linotp/templates/common-linotp.j2 b/roles/debian/pam_linotp/templates/common-linotp.j2 similarity index 100% rename from roles/pam_linotp/templates/common-linotp.j2 rename to roles/debian/pam_linotp/templates/common-linotp.j2 diff --git a/roles/php-cli/defaults/main.yml b/roles/debian/php-cli/defaults/main.yml similarity index 100% rename from roles/php-cli/defaults/main.yml rename to roles/debian/php-cli/defaults/main.yml diff --git a/roles/php-cli/meta/main.yml b/roles/debian/php-cli/meta/main.yml similarity index 100% rename from roles/php-cli/meta/main.yml rename to roles/debian/php-cli/meta/main.yml diff --git a/roles/php-cli/tasks/main.yml b/roles/debian/php-cli/tasks/main.yml similarity index 100% rename from roles/php-cli/tasks/main.yml rename to roles/debian/php-cli/tasks/main.yml diff --git a/roles/php-cli/templates/php.cli.ini.j2 b/roles/debian/php-cli/templates/php.cli.ini.j2 similarity index 100% rename from roles/php-cli/templates/php.cli.ini.j2 rename to roles/debian/php-cli/templates/php.cli.ini.j2 diff --git a/roles/php-common/defaults/main.yml b/roles/debian/php-common/defaults/main.yml similarity index 100% rename from roles/php-common/defaults/main.yml rename to roles/debian/php-common/defaults/main.yml diff --git a/roles/php-common/meta/main.yml b/roles/debian/php-common/meta/main.yml similarity index 100% rename from roles/php-common/meta/main.yml rename to roles/debian/php-common/meta/main.yml diff --git a/roles/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml similarity index 100% rename from roles/php-common/tasks/main.yml rename to roles/debian/php-common/tasks/main.yml diff --git a/roles/php-common/templates/sury.pref.j2 b/roles/debian/php-common/templates/sury.pref.j2 similarity index 100% rename from roles/php-common/templates/sury.pref.j2 rename to roles/debian/php-common/templates/sury.pref.j2 diff --git a/roles/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml similarity index 100% rename from roles/php-fpm/defaults/main.yml rename to roles/debian/php-fpm/defaults/main.yml diff --git a/roles/php-fpm/meta/main.yml b/roles/debian/php-fpm/meta/main.yml similarity index 100% rename from roles/php-fpm/meta/main.yml rename to roles/debian/php-fpm/meta/main.yml diff --git a/roles/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml similarity index 100% rename from roles/php-fpm/tasks/main.yml rename to roles/debian/php-fpm/tasks/main.yml diff --git a/roles/php-fpm/templates/php.fpm.ini.j2 b/roles/debian/php-fpm/templates/php.fpm.ini.j2 similarity index 100% rename from roles/php-fpm/templates/php.fpm.ini.j2 rename to roles/debian/php-fpm/templates/php.fpm.ini.j2 diff --git a/roles/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 similarity index 100% rename from roles/php-fpm/templates/www.conf.j2 rename to roles/debian/php-fpm/templates/www.conf.j2 diff --git a/roles/php-imagick/tasks/main.yml b/roles/debian/php-imagick/tasks/main.yml similarity index 100% rename from roles/php-imagick/tasks/main.yml rename to roles/debian/php-imagick/tasks/main.yml diff --git a/roles/php_blackfire/defaults/main.yml b/roles/debian/php_blackfire/defaults/main.yml similarity index 100% rename from roles/php_blackfire/defaults/main.yml rename to roles/debian/php_blackfire/defaults/main.yml diff --git a/roles/php_blackfire/tasks/main.yml b/roles/debian/php_blackfire/tasks/main.yml similarity index 100% rename from roles/php_blackfire/tasks/main.yml rename to roles/debian/php_blackfire/tasks/main.yml diff --git a/roles/php_blackfire/templates/agent.j2 b/roles/debian/php_blackfire/templates/agent.j2 similarity index 100% rename from roles/php_blackfire/templates/agent.j2 rename to roles/debian/php_blackfire/templates/agent.j2 diff --git a/roles/php_blackfire/templates/blackfire.ini.j2 b/roles/debian/php_blackfire/templates/blackfire.ini.j2 similarity index 100% rename from roles/php_blackfire/templates/blackfire.ini.j2 rename to roles/debian/php_blackfire/templates/blackfire.ini.j2 diff --git a/roles/php_blackfire/templates/startup.sh.j2 b/roles/debian/php_blackfire/templates/startup.sh.j2 similarity index 100% rename from roles/php_blackfire/templates/startup.sh.j2 rename to roles/debian/php_blackfire/templates/startup.sh.j2 diff --git a/roles/php_composer/README.md b/roles/debian/php_composer/README.md similarity index 100% rename from roles/php_composer/README.md rename to roles/debian/php_composer/README.md diff --git a/roles/php_composer/defaults/main.yml b/roles/debian/php_composer/defaults/main.yml similarity index 100% rename from roles/php_composer/defaults/main.yml rename to roles/debian/php_composer/defaults/main.yml diff --git a/roles/php_composer/meta/main.yml b/roles/debian/php_composer/meta/main.yml similarity index 100% rename from roles/php_composer/meta/main.yml rename to roles/debian/php_composer/meta/main.yml diff --git a/roles/php_composer/tasks/main.yml b/roles/debian/php_composer/tasks/main.yml similarity index 100% rename from roles/php_composer/tasks/main.yml rename to roles/debian/php_composer/tasks/main.yml diff --git a/roles/php_xdebug/README.md b/roles/debian/php_xdebug/README.md similarity index 100% rename from roles/php_xdebug/README.md rename to roles/debian/php_xdebug/README.md diff --git a/roles/php_xdebug/defaults/main.yml b/roles/debian/php_xdebug/defaults/main.yml similarity index 100% rename from roles/php_xdebug/defaults/main.yml rename to roles/debian/php_xdebug/defaults/main.yml diff --git a/roles/php_xdebug/tasks/main.yml b/roles/debian/php_xdebug/tasks/main.yml similarity index 100% rename from roles/php_xdebug/tasks/main.yml rename to roles/debian/php_xdebug/tasks/main.yml diff --git a/roles/php_xdebug/templates/30-xdebug-dev.ini.j2 b/roles/debian/php_xdebug/templates/30-xdebug-dev.ini.j2 similarity index 100% rename from roles/php_xdebug/templates/30-xdebug-dev.ini.j2 rename to roles/debian/php_xdebug/templates/30-xdebug-dev.ini.j2 diff --git a/roles/postfix/README.md b/roles/debian/postfix/README.md similarity index 100% rename from roles/postfix/README.md rename to roles/debian/postfix/README.md diff --git a/roles/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml similarity index 100% rename from roles/postfix/defaults/main.yml rename to roles/debian/postfix/defaults/main.yml diff --git a/roles/postfix/files/master.cf b/roles/debian/postfix/files/master.cf similarity index 100% rename from roles/postfix/files/master.cf rename to roles/debian/postfix/files/master.cf diff --git a/roles/postfix/handlers/main.yml b/roles/debian/postfix/handlers/main.yml similarity index 100% rename from roles/postfix/handlers/main.yml rename to roles/debian/postfix/handlers/main.yml diff --git a/roles/postfix/tasks/main.yml b/roles/debian/postfix/tasks/main.yml similarity index 100% rename from roles/postfix/tasks/main.yml rename to roles/debian/postfix/tasks/main.yml diff --git a/roles/postfix/templates/mailname.j2 b/roles/debian/postfix/templates/mailname.j2 similarity index 100% rename from roles/postfix/templates/mailname.j2 rename to roles/debian/postfix/templates/mailname.j2 diff --git a/roles/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 similarity index 100% rename from roles/postfix/templates/main.cf.j2 rename to roles/debian/postfix/templates/main.cf.j2 diff --git a/roles/postfix/templates/procmailrc_host.j2 b/roles/debian/postfix/templates/procmailrc_host.j2 similarity index 100% rename from roles/postfix/templates/procmailrc_host.j2 rename to roles/debian/postfix/templates/procmailrc_host.j2 diff --git a/roles/postfix/templates/procmailrc_null.j2 b/roles/debian/postfix/templates/procmailrc_null.j2 similarity index 100% rename from roles/postfix/templates/procmailrc_null.j2 rename to roles/debian/postfix/templates/procmailrc_null.j2 diff --git a/roles/postfix/templates/sasl_passwd.j2 b/roles/debian/postfix/templates/sasl_passwd.j2 similarity index 100% rename from roles/postfix/templates/sasl_passwd.j2 rename to roles/debian/postfix/templates/sasl_passwd.j2 diff --git a/roles/postfix/templates/transport.j2 b/roles/debian/postfix/templates/transport.j2 similarity index 100% rename from roles/postfix/templates/transport.j2 rename to roles/debian/postfix/templates/transport.j2 diff --git a/roles/postfix/templates/virtual.j2 b/roles/debian/postfix/templates/virtual.j2 similarity index 100% rename from roles/postfix/templates/virtual.j2 rename to roles/debian/postfix/templates/virtual.j2 diff --git a/roles/process_manager/README.md b/roles/debian/process_manager/README.md similarity index 100% rename from roles/process_manager/README.md rename to roles/debian/process_manager/README.md diff --git a/roles/process_manager/defaults/main.yml b/roles/debian/process_manager/defaults/main.yml similarity index 100% rename from roles/process_manager/defaults/main.yml rename to roles/debian/process_manager/defaults/main.yml diff --git a/roles/process_manager/tasks/main.yml b/roles/debian/process_manager/tasks/main.yml similarity index 100% rename from roles/process_manager/tasks/main.yml rename to roles/debian/process_manager/tasks/main.yml diff --git a/roles/process_manager/tasks/stop.yml b/roles/debian/process_manager/tasks/stop.yml similarity index 100% rename from roles/process_manager/tasks/stop.yml rename to roles/debian/process_manager/tasks/stop.yml diff --git a/roles/debian/python_boto/README.md b/roles/debian/python_boto/README.md new file mode 100644 index 000000000..ee3e99a52 --- /dev/null +++ b/roles/debian/python_boto/README.md @@ -0,0 +1,17 @@ +# Python Boto +Role to install the `boto3` library for Python integration with AWS services. + + + + + +## Default variables +```yaml +python_boto: + boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv +``` + + diff --git a/roles/debian/python_boto/defaults/main.yml b/roles/debian/python_boto/defaults/main.yml new file mode 100644 index 000000000..489e33ef6 --- /dev/null +++ b/roles/debian/python_boto/defaults/main.yml @@ -0,0 +1,5 @@ +python_boto: + boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest + # These are usually set within another role using _venv_path and _venv_command but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv \ No newline at end of file diff --git a/roles/debian/python_boto/meta/main.yml b/roles/debian/python_boto/meta/main.yml new file mode 100644 index 000000000..551567003 --- /dev/null +++ b/roles/debian/python_boto/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/python_common diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml new file mode 100644 index 000000000..8b989f63c --- /dev/null +++ b/roles/debian/python_boto/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Set initial boto3 package name. + ansible.builtin.set_fact: + _boto3_install_package: boto3 + +- name: Set specific boto3 version to install. + ansible.builtin.set_fact: + _boto3_install_package: "boto3=={{ python_boto.boto3_version}}" + when: + - python_boto.boto3_version | length > 0 + +- name: Ensure boto3 is installed. + ansible.builtin.pip: + name: "{{ _boto3_install_package }}" + virtualenv: "{{ python_boto.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ python_boto.venv_command | default(_venv_command) }}" + become: true + become_user: "{{ ce_provision.username }}" diff --git a/roles/debian/python_common/README.md b/roles/debian/python_common/README.md new file mode 100644 index 000000000..2c9f384f9 --- /dev/null +++ b/roles/debian/python_common/README.md @@ -0,0 +1,24 @@ +# Python Common +Packages required by all Python scripts and applications. + + + + + +## Default variables +```yaml +--- +python_common: + remove_packages: + - python-pip + - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + - python-botocore + - python-urllib3 + install_packages: + - python3-distutils + - python3-venv + - python3-pip + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale +``` + + diff --git a/roles/debian/python_common/defaults/main.yml b/roles/debian/python_common/defaults/main.yml new file mode 100644 index 000000000..afb3840df --- /dev/null +++ b/roles/debian/python_common/defaults/main.yml @@ -0,0 +1,12 @@ +--- +python_common: + remove_packages: + - python-pip + - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + - python-botocore + - python-urllib3 + install_packages: + - python3-distutils + - python3-venv + - python3-pip + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale \ No newline at end of file diff --git a/roles/debian/python_common/tasks/main.yml b/roles/debian/python_common/tasks/main.yml new file mode 100644 index 000000000..178a0ae82 --- /dev/null +++ b/roles/debian/python_common/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure obsolete Python packages are not installed. + ansible.builtin.apt: + pkg: "{{ python_common.remove_packages }}" + state: absent + +- name: Ensure commonly required Python packages are installed. + ansible.builtin.apt: + pkg: "{{ python_common.install_packages }}" + state: present + update_cache: true diff --git a/roles/redis/defaults/main.yml b/roles/debian/redis/defaults/main.yml similarity index 100% rename from roles/redis/defaults/main.yml rename to roles/debian/redis/defaults/main.yml diff --git a/roles/redis/tasks/main.yml b/roles/debian/redis/tasks/main.yml similarity index 100% rename from roles/redis/tasks/main.yml rename to roles/debian/redis/tasks/main.yml diff --git a/roles/redis/templates/dotdeb.pref.j2 b/roles/debian/redis/templates/dotdeb.pref.j2 similarity index 100% rename from roles/redis/templates/dotdeb.pref.j2 rename to roles/debian/redis/templates/dotdeb.pref.j2 diff --git a/roles/redis/templates/redis.conf.j2 b/roles/debian/redis/templates/redis.conf.j2 similarity index 100% rename from roles/redis/templates/redis.conf.j2 rename to roles/debian/redis/templates/redis.conf.j2 diff --git a/roles/redis/templates/redis.sysctl.j2 b/roles/debian/redis/templates/redis.sysctl.j2 similarity index 100% rename from roles/redis/templates/redis.sysctl.j2 rename to roles/debian/redis/templates/redis.sysctl.j2 diff --git a/roles/redis/templates/startup.sh.j2 b/roles/debian/redis/templates/startup.sh.j2 similarity index 100% rename from roles/redis/templates/startup.sh.j2 rename to roles/debian/redis/templates/startup.sh.j2 diff --git a/roles/rkhunter/README.md b/roles/debian/rkhunter/README.md similarity index 100% rename from roles/rkhunter/README.md rename to roles/debian/rkhunter/README.md diff --git a/roles/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml similarity index 100% rename from roles/rkhunter/defaults/main.yml rename to roles/debian/rkhunter/defaults/main.yml diff --git a/roles/rkhunter/handlers/main.yml b/roles/debian/rkhunter/handlers/main.yml similarity index 100% rename from roles/rkhunter/handlers/main.yml rename to roles/debian/rkhunter/handlers/main.yml diff --git a/roles/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml similarity index 100% rename from roles/rkhunter/tasks/main.yml rename to roles/debian/rkhunter/tasks/main.yml diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/debian/rkhunter/templates/rkhunter.conf.j2 similarity index 100% rename from roles/rkhunter/templates/rkhunter.conf.j2 rename to roles/debian/rkhunter/templates/rkhunter.conf.j2 diff --git a/roles/rkhunter/templates/rkhunter.default.j2 b/roles/debian/rkhunter/templates/rkhunter.default.j2 similarity index 100% rename from roles/rkhunter/templates/rkhunter.default.j2 rename to roles/debian/rkhunter/templates/rkhunter.default.j2 diff --git a/roles/rsyslog/README.md b/roles/debian/rsyslog/README.md similarity index 100% rename from roles/rsyslog/README.md rename to roles/debian/rsyslog/README.md diff --git a/roles/rsyslog/defaults/main.yml b/roles/debian/rsyslog/defaults/main.yml similarity index 100% rename from roles/rsyslog/defaults/main.yml rename to roles/debian/rsyslog/defaults/main.yml diff --git a/roles/rsyslog/tasks/main.yml b/roles/debian/rsyslog/tasks/main.yml similarity index 100% rename from roles/rsyslog/tasks/main.yml rename to roles/debian/rsyslog/tasks/main.yml diff --git a/roles/rsyslog/templates/rsyslog.client.conf.j2 b/roles/debian/rsyslog/templates/rsyslog.client.conf.j2 similarity index 100% rename from roles/rsyslog/templates/rsyslog.client.conf.j2 rename to roles/debian/rsyslog/templates/rsyslog.client.conf.j2 diff --git a/roles/rsyslog/templates/rsyslog.server.conf.j2 b/roles/debian/rsyslog/templates/rsyslog.server.conf.j2 similarity index 100% rename from roles/rsyslog/templates/rsyslog.server.conf.j2 rename to roles/debian/rsyslog/templates/rsyslog.server.conf.j2 diff --git a/roles/selenium/defaults/main.yml b/roles/debian/selenium/defaults/main.yml similarity index 100% rename from roles/selenium/defaults/main.yml rename to roles/debian/selenium/defaults/main.yml diff --git a/roles/selenium/meta/main.yml b/roles/debian/selenium/meta/main.yml similarity index 100% rename from roles/selenium/meta/main.yml rename to roles/debian/selenium/meta/main.yml diff --git a/roles/selenium/tasks/main.yml b/roles/debian/selenium/tasks/main.yml similarity index 100% rename from roles/selenium/tasks/main.yml rename to roles/debian/selenium/tasks/main.yml diff --git a/roles/selenium/templates/selenium-daemon-start-VNC.j2 b/roles/debian/selenium/templates/selenium-daemon-start-VNC.j2 similarity index 100% rename from roles/selenium/templates/selenium-daemon-start-VNC.j2 rename to roles/debian/selenium/templates/selenium-daemon-start-VNC.j2 diff --git a/roles/selenium/templates/selenium-daemon-start-XVFB.j2 b/roles/debian/selenium/templates/selenium-daemon-start-XVFB.j2 similarity index 100% rename from roles/selenium/templates/selenium-daemon-start-XVFB.j2 rename to roles/debian/selenium/templates/selenium-daemon-start-XVFB.j2 diff --git a/roles/selenium/templates/selenium-daemon-stop.j2 b/roles/debian/selenium/templates/selenium-daemon-stop.j2 similarity index 100% rename from roles/selenium/templates/selenium-daemon-stop.j2 rename to roles/debian/selenium/templates/selenium-daemon-stop.j2 diff --git a/roles/selenium/templates/selenium.init.j2 b/roles/debian/selenium/templates/selenium.init.j2 similarity index 100% rename from roles/selenium/templates/selenium.init.j2 rename to roles/debian/selenium/templates/selenium.init.j2 diff --git a/roles/selenium/templates/startup.sh.j2 b/roles/debian/selenium/templates/startup.sh.j2 similarity index 100% rename from roles/selenium/templates/startup.sh.j2 rename to roles/debian/selenium/templates/startup.sh.j2 diff --git a/roles/selenium/templates/xstartup.j2 b/roles/debian/selenium/templates/xstartup.j2 similarity index 100% rename from roles/selenium/templates/xstartup.j2 rename to roles/debian/selenium/templates/xstartup.j2 diff --git a/roles/solr/README.md b/roles/debian/solr/README.md similarity index 100% rename from roles/solr/README.md rename to roles/debian/solr/README.md diff --git a/roles/sops/defaults/main.yml b/roles/debian/sops/defaults/main.yml similarity index 100% rename from roles/sops/defaults/main.yml rename to roles/debian/sops/defaults/main.yml diff --git a/roles/sops/tasks/main.yml b/roles/debian/sops/tasks/main.yml similarity index 100% rename from roles/sops/tasks/main.yml rename to roles/debian/sops/tasks/main.yml diff --git a/roles/squashfs/meta/main.yml b/roles/debian/squashfs/meta/main.yml similarity index 100% rename from roles/squashfs/meta/main.yml rename to roles/debian/squashfs/meta/main.yml diff --git a/roles/squashfs/tasks/main.yml b/roles/debian/squashfs/tasks/main.yml similarity index 100% rename from roles/squashfs/tasks/main.yml rename to roles/debian/squashfs/tasks/main.yml diff --git a/roles/ssh_server/README.md b/roles/debian/ssh_server/README.md similarity index 100% rename from roles/ssh_server/README.md rename to roles/debian/ssh_server/README.md diff --git a/roles/ssh_server/defaults/main.yml b/roles/debian/ssh_server/defaults/main.yml similarity index 100% rename from roles/ssh_server/defaults/main.yml rename to roles/debian/ssh_server/defaults/main.yml diff --git a/roles/ssh_server/tasks/main.yml b/roles/debian/ssh_server/tasks/main.yml similarity index 100% rename from roles/ssh_server/tasks/main.yml rename to roles/debian/ssh_server/tasks/main.yml diff --git a/roles/ssh_server/templates/group_block.j2 b/roles/debian/ssh_server/templates/group_block.j2 similarity index 100% rename from roles/ssh_server/templates/group_block.j2 rename to roles/debian/ssh_server/templates/group_block.j2 diff --git a/roles/ssh_server/templates/sshd_config.j2 b/roles/debian/ssh_server/templates/sshd_config.j2 similarity index 100% rename from roles/ssh_server/templates/sshd_config.j2 rename to roles/debian/ssh_server/templates/sshd_config.j2 diff --git a/roles/ssh_server/templates/user_block.j2 b/roles/debian/ssh_server/templates/user_block.j2 similarity index 100% rename from roles/ssh_server/templates/user_block.j2 rename to roles/debian/ssh_server/templates/user_block.j2 diff --git a/roles/ssl/README.md b/roles/debian/ssl/README.md similarity index 92% rename from roles/ssl/README.md rename to roles/debian/ssl/README.md index d5ae1c7f1..33a5ee801 100644 --- a/roles/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -78,19 +78,17 @@ ssl: certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal - autorenew: false # set to true to create a cron job to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the cron job - # renewal_minute: "0" # minute to run renewal cron job - # renewal_hour: "0" # hour to run renewal cron job - # renewal_day: "7" # day of month to run renewal cron job - # renewal_weekday: "0" # day of week to run renewal cron job + autorenew: false # set to true to create a systemd timer to renew LE certs + certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free. # List of services to be stopped during renewal, e.g. - # services: - # - nginx + #services: + # - nginx services: [] # When certificates get renewed on a schedule you also need to reload any dependent services, such as your web server. # List of services to reload: diff --git a/roles/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml similarity index 86% rename from roles/ssl/defaults/main.yml rename to roles/debian/ssl/defaults/main.yml index 45c2058ce..adfb9a137 100644 --- a/roles/ssl/defaults/main.yml +++ b/roles/debian/ssl/defaults/main.yml @@ -30,19 +30,17 @@ ssl: certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal - autorenew: false # set to true to create a cron job to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the cron job - # renewal_minute: "0" # minute to run renewal cron job - # renewal_hour: "0" # hour to run renewal cron job - # renewal_day: "7" # day of month to run renewal cron job - # renewal_weekday: "0" # day of week to run renewal cron job + autorenew: false # set to true to create a systemd timer to renew LE certs + certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free. # List of services to be stopped during renewal, e.g. - # services: - # - nginx + #services: + # - nginx services: [] # When certificates get renewed on a schedule you also need to reload any dependent services, such as your web server. # List of services to reload: diff --git a/roles/ssl/tasks/copy.yml b/roles/debian/ssl/tasks/copy.yml similarity index 100% rename from roles/ssl/tasks/copy.yml rename to roles/debian/ssl/tasks/copy.yml diff --git a/roles/ssl/tasks/generate.yml b/roles/debian/ssl/tasks/generate.yml similarity index 100% rename from roles/ssl/tasks/generate.yml rename to roles/debian/ssl/tasks/generate.yml diff --git a/roles/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml similarity index 79% rename from roles/ssl/tasks/letsencrypt.yml rename to roles/debian/ssl/tasks/letsencrypt.yml index 7520822a5..616040ae1 100644 --- a/roles/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -1,11 +1,4 @@ --- -# cron is not necessarily installed by default. -- name: Ensure cron is installed. - ansible.builtin.apt: - name: cron - state: present - update_cache: true - - name: Ensure Certbot is installed. ansible.builtin.apt: pkg: certbot @@ -85,14 +78,15 @@ mode: 0755 when: ssl.autorenew -- name: Create cron job for certificate renewal. - ansible.builtin.cron: - name: "certbot renewal" - minute: "{{ ssl.renewal_minute | default('0') }}" - hour: "{{ ssl.renewal_hour | default('0') }}" - day: "{{ ssl.renewal_day | default(omit) }}" - weekday: "{{ ssl.renewal_weekday | default('0') }}" # default is weekly at midnight on Sunday - job: "/usr/local/bin/le_cron_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}.sh" - cron_file: "le_autorenewal_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}" - user: root +- name: Build timer variables with dynamic key. + ansible.builtin.set_fact: + _certbot_renewal_timer: "{'certbot_renewal_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}':{'timer_command':'/usr/local/bin/le_cron_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}.sh','timer_OnCalendar':'{{ ssl.on_calendar }}'}}" + when: ssl.autorenew + +- name: Create systemd timer for certificate renewal. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + certbot_renewal: "{{ _certbot_renewal_timer }}" when: ssl.autorenew diff --git a/roles/ssl/tasks/main.yml b/roles/debian/ssl/tasks/main.yml similarity index 100% rename from roles/ssl/tasks/main.yml rename to roles/debian/ssl/tasks/main.yml diff --git a/roles/ssl/tasks/manual.yml b/roles/debian/ssl/tasks/manual.yml similarity index 100% rename from roles/ssl/tasks/manual.yml rename to roles/debian/ssl/tasks/manual.yml diff --git a/roles/ssl/tasks/selfsigned.yml b/roles/debian/ssl/tasks/selfsigned.yml similarity index 100% rename from roles/ssl/tasks/selfsigned.yml rename to roles/debian/ssl/tasks/selfsigned.yml diff --git a/roles/ssl/tasks/unmanaged.yml b/roles/debian/ssl/tasks/unmanaged.yml similarity index 100% rename from roles/ssl/tasks/unmanaged.yml rename to roles/debian/ssl/tasks/unmanaged.yml diff --git a/roles/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2 similarity index 100% rename from roles/ssl/templates/le_cron.sh.j2 rename to roles/debian/ssl/templates/le_cron.sh.j2 diff --git a/roles/sudo_config/README.md b/roles/debian/sudo_config/README.md similarity index 100% rename from roles/sudo_config/README.md rename to roles/debian/sudo_config/README.md diff --git a/roles/sudo_config/defaults/main.yml b/roles/debian/sudo_config/defaults/main.yml similarity index 100% rename from roles/sudo_config/defaults/main.yml rename to roles/debian/sudo_config/defaults/main.yml diff --git a/roles/sudo_config/tasks/main.yml b/roles/debian/sudo_config/tasks/main.yml similarity index 100% rename from roles/sudo_config/tasks/main.yml rename to roles/debian/sudo_config/tasks/main.yml diff --git a/roles/sudo_config/templates/sudoer.j2 b/roles/debian/sudo_config/templates/sudoer.j2 similarity index 100% rename from roles/sudo_config/templates/sudoer.j2 rename to roles/debian/sudo_config/templates/sudoer.j2 diff --git a/roles/terraform/defaults/main.yml b/roles/debian/terraform/defaults/main.yml similarity index 100% rename from roles/terraform/defaults/main.yml rename to roles/debian/terraform/defaults/main.yml diff --git a/roles/terraform/tasks/main.yml b/roles/debian/terraform/tasks/main.yml similarity index 100% rename from roles/terraform/tasks/main.yml rename to roles/debian/terraform/tasks/main.yml diff --git a/roles/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml similarity index 100% rename from roles/user_ansible/defaults/main.yml rename to roles/debian/user_ansible/defaults/main.yml diff --git a/roles/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml similarity index 100% rename from roles/user_ansible/tasks/main.yml rename to roles/debian/user_ansible/tasks/main.yml diff --git a/roles/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml similarity index 100% rename from roles/user_deploy/defaults/main.yml rename to roles/debian/user_deploy/defaults/main.yml diff --git a/roles/user_deploy/tasks/main.yml b/roles/debian/user_deploy/tasks/main.yml similarity index 100% rename from roles/user_deploy/tasks/main.yml rename to roles/debian/user_deploy/tasks/main.yml diff --git a/roles/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml similarity index 100% rename from roles/user_provision/defaults/main.yml rename to roles/debian/user_provision/defaults/main.yml diff --git a/roles/user_provision/tasks/main.yml b/roles/debian/user_provision/tasks/main.yml similarity index 100% rename from roles/user_provision/tasks/main.yml rename to roles/debian/user_provision/tasks/main.yml diff --git a/roles/user_root/defaults/main.yml b/roles/debian/user_root/defaults/main.yml similarity index 100% rename from roles/user_root/defaults/main.yml rename to roles/debian/user_root/defaults/main.yml diff --git a/roles/user_root/tasks/main.yml b/roles/debian/user_root/tasks/main.yml similarity index 100% rename from roles/user_root/tasks/main.yml rename to roles/debian/user_root/tasks/main.yml diff --git a/roles/vagrant/defaults/main.yml b/roles/debian/vagrant/defaults/main.yml similarity index 100% rename from roles/vagrant/defaults/main.yml rename to roles/debian/vagrant/defaults/main.yml diff --git a/roles/vagrant/tasks/main.yml b/roles/debian/vagrant/tasks/main.yml similarity index 100% rename from roles/vagrant/tasks/main.yml rename to roles/debian/vagrant/tasks/main.yml diff --git a/roles/varnish_config/README.md b/roles/debian/varnish_config/README.md similarity index 100% rename from roles/varnish_config/README.md rename to roles/debian/varnish_config/README.md diff --git a/roles/varnish_config/defaults/main.yml b/roles/debian/varnish_config/defaults/main.yml similarity index 100% rename from roles/varnish_config/defaults/main.yml rename to roles/debian/varnish_config/defaults/main.yml diff --git a/roles/varnish_config/meta/main.yml b/roles/debian/varnish_config/meta/main.yml similarity index 100% rename from roles/varnish_config/meta/main.yml rename to roles/debian/varnish_config/meta/main.yml diff --git a/roles/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml similarity index 100% rename from roles/varnish_config/tasks/main.yml rename to roles/debian/varnish_config/tasks/main.yml diff --git a/roles/varnish_config/templates/default.vcl.j2 b/roles/debian/varnish_config/templates/default.vcl.j2 similarity index 100% rename from roles/varnish_config/templates/default.vcl.j2 rename to roles/debian/varnish_config/templates/default.vcl.j2 diff --git a/roles/wazuh/README.md b/roles/debian/wazuh/README.md similarity index 97% rename from roles/wazuh/README.md rename to roles/debian/wazuh/README.md index 7e6d73e76..bc92ecc6d 100644 --- a/roles/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -11,8 +11,6 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: - #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible - branch: "4.3" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: diff --git a/roles/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml similarity index 96% rename from roles/wazuh/defaults/main.yml rename to roles/debian/wazuh/defaults/main.yml index 49da21661..32270581f 100644 --- a/roles/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -1,7 +1,5 @@ --- wazuh: - #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible - branch: "4.3" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: diff --git a/roles/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml similarity index 86% rename from roles/wazuh/tasks/main.yml rename to roles/debian/wazuh/tasks/main.yml index 672bb91c5..aebe36f2e 100644 --- a/roles/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,18 +1,8 @@ --- # Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles. -- name: Set the Wazuh version branch for the playbooks and roles. - ansible.builtin.git: - repo: https://github.com/wazuh/wazuh-ansible.git - dest: "{{ wazuh.roles_directory | default('/home/' + user_provision.username + '/.ansible/roles/wazuh-ansible') }}" - version: "{{ wazuh.branch }}" - update: true - become: true - become_user: "{{ user_provision.username }}" - delegate_to: localhost - - name: Generate certificates. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer + name: contrib/wazuh/wazuh-indexer delegate_to: localhost vars: indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" @@ -23,7 +13,7 @@ - name: Install Wazuh indexer. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer + name: contrib/wazuh/wazuh-indexer vars: single_node: "{{ wazuh.indexer.single_node }}" domain_name: "{{ wazuh.indexer.domain_name }}" @@ -51,7 +41,7 @@ - name: Install Wazuh Manager. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-manager + name: contrib/wazuh/ansible-wazuh-manager vars: wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" @@ -68,7 +58,7 @@ - name: Install Filebeat. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-filebeat-oss + name: contrib/wazuh/ansible-filebeat-oss vars: filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" @@ -81,7 +71,7 @@ - name: Install Wazuh dashboard. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-dashboard + name: contrib/wazuh/wazuh-dashboard vars: dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" @@ -98,7 +88,7 @@ - name: Install Wazuh agent. ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-agent + name: contrib/wazuh/ansible-wazuh-agent vars: wazuh_managers: "{{ wazuh.agent.managers }}" wazuh_agent_enrollment: diff --git a/roles/duplicity/templates/duplicity-cron.j2 b/roles/duplicity/templates/duplicity-cron.j2 deleted file mode 100644 index 5d9982a60..000000000 --- a/roles/duplicity/templates/duplicity-cron.j2 +++ /dev/null @@ -1,2 +0,0 @@ -MAILTO="{{ duplicity.mail_recipient }}" -{{ duplicity.schedule }} root /usr/local/bin/duplicity_backup > /dev/null diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml deleted file mode 100644 index 82b134717..000000000 --- a/roles/ldap_server/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: python_pip diff --git a/roles/mysql_client/meta/main.yml b/roles/mysql_client/meta/main.yml deleted file mode 100644 index 82b134717..000000000 --- a/roles/mysql_client/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: python_pip diff --git a/roles/mysql_server_mariadb/defaults/main.yml b/roles/mysql_server_mariadb/defaults/main.yml deleted file mode 100644 index e233b409b..000000000 --- a/roles/mysql_server_mariadb/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -mysql_long_query_time: 4 diff --git a/roles/nginx/meta/main.yml b/roles/nginx/meta/main.yml deleted file mode 100644 index 82b134717..000000000 --- a/roles/nginx/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: python_pip diff --git a/roles/ossec/files/ossec-watchdog-cron b/roles/ossec/files/ossec-watchdog-cron deleted file mode 100644 index 5bdddbf40..000000000 --- a/roles/ossec/files/ossec-watchdog-cron +++ /dev/null @@ -1 +0,0 @@ -@reboot root nohup /usr/local/bin/ossec-watchdog > /tmp/ossec-watchdog.log & diff --git a/roles/python_boto/README.md b/roles/python_boto/README.md deleted file mode 100644 index bb0883637..000000000 --- a/roles/python_boto/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Python Boto -Role to install the `boto3` library for Python integration with AWS services. - - - - - -## Default variables -```yaml -python_boto: - boto3_version: "1.22.13" # first version that works with 'stable-6' AWS collections - empty string means latest -``` - - diff --git a/roles/python_boto/defaults/main.yml b/roles/python_boto/defaults/main.yml deleted file mode 100644 index a51c71992..000000000 --- a/roles/python_boto/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -python_boto: - boto3_version: "1.22.13" # first version that works with 'stable-6' AWS collections - empty string means latest \ No newline at end of file diff --git a/roles/python_boto/meta/main.yml b/roles/python_boto/meta/main.yml deleted file mode 100644 index 82b134717..000000000 --- a/roles/python_boto/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: python_pip diff --git a/roles/python_boto/tasks/main.yml b/roles/python_boto/tasks/main.yml deleted file mode 100644 index 9454ce782..000000000 --- a/roles/python_boto/tasks/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Ensure old boto versions are not installed. - ansible.builtin.apt: - pkg: ["python-botocore", "python-urllib3"] - state: absent - when: ansible_distribution_major_version | int < 12 - -- name: Set initial boto3 package name. - ansible.builtin.set_fact: - _boto3_install_package: boto3 - when: ansible_distribution_major_version | int < 12 - -- name: Set specific boto3 version to install. - ansible.builtin.set_fact: - _boto3_install_package: "boto3=={{ python_boto.boto3_version}}" - when: - - python_boto.boto3_version | length > 0 - - ansible_distribution_major_version | int < 12 - -- name: Ensure boto3 is installed with pip3. - ansible.builtin.pip: - name: "{{ _boto3_install_package }}" - executable: pip3 - when: ansible_distribution_major_version | int < 12 - -- name: Ensure python3-boto3 is installed with apt. - ansible.builtin.apt: - pkg: python3-boto3 - state: present - when: ansible_distribution_major_version | int >= 12 diff --git a/roles/python_pip/README.md b/roles/python_pip/README.md deleted file mode 100644 index 91797a924..000000000 --- a/roles/python_pip/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Python Pip -Role to install `pip3`. - -Note, the variables do not do anything for Debian 12 (bookworm) onwards, as `pip3` is handled by `apt` from then on. - - - - - -## Default variables -```yaml ---- -# Variables only valid for Debian versions below 12 (bookworm). -python_pip: - python_binary_path: "/usr/bin/python3" - pip_packages: - - "python-pip" - - "python3-pip" - upgrade: - enabled: true # create cron job to auto-upgrade pip - command: "/usr/bin/python -m pip install --upgrade pip" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true - -``` - - diff --git a/roles/python_pip/defaults/main.yml b/roles/python_pip/defaults/main.yml deleted file mode 100644 index 225102099..000000000 --- a/roles/python_pip/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Variables only valid for Debian versions below 12 (bookworm). -python_pip: - python_binary_path: "/usr/bin/python3" - pip_packages: - - "python-pip" - - "python3-pip" - upgrade: - enabled: true # create cron job to auto-upgrade pip - command: "/usr/bin/python -m pip install --upgrade pip" - # cron variables - see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html - minute: 0 - hour: 1 - # day: 1 - # weekday: 7 - # month: 12 - # disabled: true diff --git a/roles/python_pip/tasks/10.yml b/roles/python_pip/tasks/10.yml deleted file mode 100644 index e7d5b2e2b..000000000 --- a/roles/python_pip/tasks/10.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Ensure old pip versions are not installed. - ansible.builtin.apt: - pkg: "{{ python_pip.pip_packages }}" - state: absent - -- name: Ensure python3-distutils is installed. - ansible.builtin.apt: - name: python3-distutils - state: present - update_cache: true - -- name: Check to see if pip3 is already there. - ansible.builtin.command: - cmd: which pip3 - register: pip3_package - failed_when: false - -- name: Fetch Pip installer. - ansible.builtin.get_url: - url: https://bootstrap.pypa.io/get-pip.py - dest: /tmp/get-pip.py - when: - - pip3_package.rc != 0 - -- name: Ensure pip3 is installed. - ansible.builtin.command: - cmd: python3 /tmp/get-pip.py - become: true - when: - - pip3_package.rc != 0 - -- name: "Ensure {{ python_pip.python_binary_path }} is the default binary." - ansible.builtin.command: - cmd: "update-alternatives --install /usr/bin/python python {{ python_pip.python_binary_path }} 1" - become: true - -- name: Create cron entry to upgrade pip. - ansible.builtin.cron: - name: upgrade_python_pip - minute: "{{ python_pip.upgrade.minute | default(omit) }}" - hour: "{{ python_pip.upgrade.hour | default(omit) }}" - day: "{{ python_pip.upgrade.day | default(omit) }}" - weekday: "{{ python_pip.upgrade.weekday | default(omit) }}" - month: "{{ python_pip.upgrade.month | default(omit) }}" - job: "{{ python_pip.upgrade.command }}" - state: present - disabled: "{{ python_pip.upgrade.disabled | default(omit) }}" - become: true - when: python_pip.upgrade.enabled diff --git a/roles/python_pip/tasks/11.yml b/roles/python_pip/tasks/11.yml deleted file mode 100644 index e7d5b2e2b..000000000 --- a/roles/python_pip/tasks/11.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Ensure old pip versions are not installed. - ansible.builtin.apt: - pkg: "{{ python_pip.pip_packages }}" - state: absent - -- name: Ensure python3-distutils is installed. - ansible.builtin.apt: - name: python3-distutils - state: present - update_cache: true - -- name: Check to see if pip3 is already there. - ansible.builtin.command: - cmd: which pip3 - register: pip3_package - failed_when: false - -- name: Fetch Pip installer. - ansible.builtin.get_url: - url: https://bootstrap.pypa.io/get-pip.py - dest: /tmp/get-pip.py - when: - - pip3_package.rc != 0 - -- name: Ensure pip3 is installed. - ansible.builtin.command: - cmd: python3 /tmp/get-pip.py - become: true - when: - - pip3_package.rc != 0 - -- name: "Ensure {{ python_pip.python_binary_path }} is the default binary." - ansible.builtin.command: - cmd: "update-alternatives --install /usr/bin/python python {{ python_pip.python_binary_path }} 1" - become: true - -- name: Create cron entry to upgrade pip. - ansible.builtin.cron: - name: upgrade_python_pip - minute: "{{ python_pip.upgrade.minute | default(omit) }}" - hour: "{{ python_pip.upgrade.hour | default(omit) }}" - day: "{{ python_pip.upgrade.day | default(omit) }}" - weekday: "{{ python_pip.upgrade.weekday | default(omit) }}" - month: "{{ python_pip.upgrade.month | default(omit) }}" - job: "{{ python_pip.upgrade.command }}" - state: present - disabled: "{{ python_pip.upgrade.disabled | default(omit) }}" - become: true - when: python_pip.upgrade.enabled diff --git a/roles/python_pip/tasks/12.yml b/roles/python_pip/tasks/12.yml deleted file mode 100644 index f18e48bc7..000000000 --- a/roles/python_pip/tasks/12.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Ensure python3-distutils is installed. - ansible.builtin.apt: - name: python3-distutils - state: present - update_cache: true - -- name: Ensure python3-pip is installed. - ansible.builtin.apt: - pkg: python3-pip - state: present diff --git a/roles/python_pip/tasks/main.yml b/roles/python_pip/tasks/main.yml deleted file mode 100644 index 05ce92175..000000000 --- a/roles/python_pip/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: Load Debian version specific tasks. - ansible.builtin.include_tasks: "{{ ansible_distribution_major_version }}.yml" From 188b7830145c7edffd1a68388347ec8b339e0f85 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 14:41:48 +0100 Subject: [PATCH 002/331] Updating paths in meta roles. (#1218) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. --- .ansible-lint | 7 ++++--- .github/workflows/ce-provision-lint.yml | 2 +- roles/_meta/aws_client_instance/meta/main.yml | 6 +++--- roles/_meta/controller/meta/main.yml | 18 +++++++++--------- roles/_meta/deploy/meta/main.yml | 18 +++++++++--------- roles/_meta/webserver/meta/main.yml | 16 ++++++++-------- 6 files changed, 34 insertions(+), 33 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index e49016169..7f26f195c 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,7 +1,6 @@ skip_list: - '204' # Lines should be no longer than 160 chars - - '301' # Commands should not changei things if nothing needs doing - - '303' # Using command rather than module + - '301' # Commands should not change things if nothing needs doing - '701' # 701 No 'galaxy_info' found - unnamed-task - risky-file-permissions @@ -9,7 +8,9 @@ skip_list: - no-handler - var-naming - no-jinja-nesting - - command-instead-of-module # dupe of '303'? + - command-instead-of-module - fqcn-builtins - template-instead-of-copy # to skip over roles/ssl/tasks/copy.yml errors, temporarily. - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me. +exclude_paths: + - roles/debian/wazuh/ # imported role uses yes/no instead of true/false so always fails diff --git a/.github/workflows/ce-provision-lint.yml b/.github/workflows/ce-provision-lint.yml index ab77b3ad9..8e0c9f352 100644 --- a/.github/workflows/ce-provision-lint.yml +++ b/.github/workflows/ce-provision-lint.yml @@ -28,6 +28,6 @@ jobs: - name: Run linters. if: ${{ github.event.pull_request.head.ref != 'documentation' }} run: | - ansible-lint ./roles --exclude ./roles/wazuh/defaults/ + ansible-lint ./roles yamllint ./roles cd scripts && shellcheck *.sh diff --git a/roles/_meta/aws_client_instance/meta/main.yml b/roles/_meta/aws_client_instance/meta/main.yml index 9e3e7dad1..ac372d64c 100644 --- a/roles/_meta/aws_client_instance/meta/main.yml +++ b/roles/_meta/aws_client_instance/meta/main.yml @@ -1,5 +1,5 @@ --- dependencies: - - { role: apt_extra_packages, apt_extra_packages: ["cloud-init"] } - - role: aws_cloudwatch_agent - - role: aws_ssm_agent + - { role: debian/apt_extra_packages, apt_extra_packages: ["cloud-init"] } + - role: debian/aws_cloudwatch_agent + - role: debian/aws_ssm_agent diff --git a/roles/_meta/controller/meta/main.yml b/roles/_meta/controller/meta/main.yml index 8038122d7..955a23613 100644 --- a/roles/_meta/controller/meta/main.yml +++ b/roles/_meta/controller/meta/main.yml @@ -1,13 +1,13 @@ --- dependencies: - - role: user_provision - - { role: ssh_server, when: ( is_local is not defined or not is_local ) } + - role: debian/user_provision + - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - role: aws/aws_credentials - - role: ce_provision - - role: gitlab - - role: gitlab_runner - - role: sops - - role: gpg_key - - role: pam_ldap - - role: pam_linotp + - role: debian/ce_provision + - role: debian/gitlab + - role: debian/gitlab_runner + - role: debian/sops + - role: debian/gpg_key + - role: debian/pam_ldap + - role: debian/pam_linotp diff --git a/roles/_meta/deploy/meta/main.yml b/roles/_meta/deploy/meta/main.yml index 05a183528..4409e5701 100644 --- a/roles/_meta/deploy/meta/main.yml +++ b/roles/_meta/deploy/meta/main.yml @@ -1,13 +1,13 @@ --- dependencies: - - role: user_provision - - { role: ssh_server, when: ( is_local is not defined or not is_local ) } + - role: debian/user_provision + - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - - role: ce_deploy + - role: debian/ce_deploy - role: aws/aws_credentials - - role: gitlab - - role: gitlab_runner - - role: sops - - role: gpg_key - - role: pam_ldap - - role: pam_linotp + - role: debian/gitlab + - role: debian/gitlab_runner + - role: debian/sops + - role: debian/gpg_key + - role: debian/pam_ldap + - role: debian/pam_linotp diff --git a/roles/_meta/webserver/meta/main.yml b/roles/_meta/webserver/meta/main.yml index 8f4f8a94d..a66530c03 100644 --- a/roles/_meta/webserver/meta/main.yml +++ b/roles/_meta/webserver/meta/main.yml @@ -1,11 +1,11 @@ --- dependencies: - - { role: ssh_server, when: ( is_local is not defined or not is_local ) } + - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - - role: user_provision - - role: user_deploy - - role: mysql_client - - role: nodejs - - role: php-cli - - role: php-fpm - - role: nginx + - role: debian/user_provision + - role: debian/user_deploy + - role: debian/mysql_client + - role: debian/nodejs + - role: debian/php-cli + - role: debian/php-fpm + - role: debian/nginx From 31093c5fd30ce1420e5d2cd4b5526b3960ffdf74 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 16:23:52 +0100 Subject: [PATCH 003/331] Meta role paths pr 2.x (#1220) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. --- docs/_Sidebar.md | 48 ++++++++++++++- docs/roles/contrib/systemd_timers.md | 90 ---------------------------- docs/roles/debian.md | 2 + roles/debian/README.md | 2 + 4 files changed, 51 insertions(+), 91 deletions(-) delete mode 100644 docs/roles/contrib/systemd_timers.md create mode 100644 docs/roles/debian.md create mode 100644 roles/debian/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 079ae0cc1..4f93d9c12 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -27,7 +27,53 @@ - [Update main route for a given VPC](/roles/aws/aws_vpc_route) - [VPC](/roles/aws/aws_vpc_subnet) - [Contributed roles](/roles/contrib) - - [ansible-systemd-timer](/roles/contrib/systemd_timers) + - [Debian Packages](/roles/debian) + - [Ansible](/roles/debian/ansible) + - [APACHE](/roles/debian/apache) + - [Extra packages](/roles/debian/apt_extra_packages) + - [APT Unattended Upgrades](/roles/debian/apt_unattended_upgrades) + - [AWS CLI](/roles/debian/aws_cli) + - [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent) + - [EFS client](/roles/debian/aws_efs_client) + - [AWS SSM agent](/roles/debian/aws_ssm_agent) + - [ce-deploy](/roles/debian/ce_deploy) + - [Extra packages](/roles/debian/ce_dev) + - [Automated patching](/roles/debian/ce_patcher) + - [ce-provision](/roles/debian/ce_provision) + - [ClamAV](/roles/debian/clamav) + - [Firewall Config](/roles/debian/firewall_config) + - [Frontail](/roles/debian/frontail) + - [Gitlab](/roles/debian/gitlab) + - [Gitlab Runner](/roles/debian/gitlab_runner) + - [GPG Key](/roles/debian/gpg_key) + - [HA Proxy](/roles/debian/haproxy) + - [Managed /etc/hosts](/roles/debian/hosts) + - [Jenkins](/roles/debian/jenkins) + - [Jitsi](/roles/debian/jitsi) + - [LDAP Server](/roles/debian/ldap_server) + - [LHCI](/roles/debian/lhci) + - [Mount sync](/roles/debian/mount_sync) + - [MariaDB Client](/roles/debian/mysql_client) + - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce) + - [NGINX](/roles/debian/nginx) + - [NodeJS](/roles/debian/nodejs) + - [OpenVPN Config](/roles/debian/openvpn_config) + - [OSSEC](/roles/debian/ossec) + - [Packer](/roles/debian/packer) + - [PHP Composer](/roles/debian/php_composer) + - [PHP XDebug](/roles/debian/php_xdebug) + - [Postfix](/roles/debian/postfix) + - [Process Manager](/roles/debian/process_manager) + - [Python Boto](/roles/debian/python_boto) + - [Python Common](/roles/debian/python_common) + - [rkhunter](/roles/debian/rkhunter) + - [Rsyslog](/roles/debian/rsyslog) + - [solr](/roles/debian/solr) + - [SSHD](/roles/debian/ssh_server) + - [SSL](/roles/debian/ssl) + - [sudo config](/roles/debian/sudo_config) + - [varnish-config](/roles/debian/varnish_config) + - [wazuh](/roles/debian/wazuh) - [Init role](/roles/_init) - ["Meta" roles that group individual roles together.](/roles/_meta) - [AWS account](/roles/_meta/aws_account) diff --git a/docs/roles/contrib/systemd_timers.md b/docs/roles/contrib/systemd_timers.md deleted file mode 100644 index ce1e6efad..000000000 --- a/docs/roles/contrib/systemd_timers.md +++ /dev/null @@ -1,90 +0,0 @@ -# ansible-systemd-timer - -## About -This roles enables you to create systemd timers which call scripts or execute commands. - -## Usage - -Define a variable ```timers```. This variable is a dictionary. Every key is a new timer. - -### Example - -Here is an example for my 1337 Telegram Bot. The Timer "calls" a script which sends the message "It's now 13:37" in one of my Telegram chats every day at 13:37 GMT o'Clock. - -``` -timers: - 1337TelegramBot: - timer_precommand: /bin/bash -c '! /usr/bin/systemctl is-active --quiet other-service.service' - timer_command: /home/telegrambot/sendMessage.pl - timer_user: telegrambot - timer_OnCalendar: "*-*-* 13:37:00 CET" - timer_AccuracySec: 5s -``` - -That's all the magic. - -### Existing variables per timer - -| Variable | Required | Default value / Explanation | -|----------|----------|------------------------------| -| timer_precommand | no | Pre-command before command | -| timer_command | yes | Which command or script to execute | -| timer_envfile | no | Add environment file | -| timer_user | no | Under which users the timer_command is executed. Default: root | -| timer_persistent | no | Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. This is useful to catch up on missed runs of the service when the machine was off. Note that this setting only has an effect on timers configured with OnCalendar=. Defaults to false. [Source](https://www.freedesktop.org/software/systemd/man/systemd.timer.html) | -| timer_workingdir | no | Set [WorkingDirectory=](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#WorkingDirectory=) for the timer -| timer_OnActiveSec | no | Relative time after the timer unit was last activated | -| timer_OnBootSec | no | Relative time after the computer was booted | -| timer_OnStartupSec | no | Relative time after systemd was started | -| timer_OnUnitActiveSec | no | Relative time after the service unit was last activated | -| timer_OnUnitInactiveSec | no | Relative time after the service unit was last deactivated | -| timer_OnCalendar | no | Absolute time when to call activate the unit | -| timer_AccuracySec | no | Timer have a default accuracy of round about one minute. You can set the accuracy with this var. Default: 15s | - -You can chain every timer_On* variable. Example: - -``` -timers: - updateDNS: - timer_command: /home/dnsupdate/updateMe.pl - timer_user: dnsupdate - timer_OnStartupSec: 20s - timer_OnUnitActiveSec: 5m -``` - -The timer unit will be triggered 20 seconds after systemd was started and then every 5 minutes. - -More about timers: https://www.freedesktop.org/software/systemd/man/systemd.timer.html - -More about timespans: https://www.freedesktop.org/software/systemd/man/systemd.time.html - -### Existing variables globally, for the role -| Variable | Required | Default value / Explanation | -|----------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------| -| systemd_scope | no | Create system or user units. Default: `system`. | -| systemd_base_path | no | Where to generate the systemd unit files. Set this to e.g. `~/.config/systemd/user` when using *systemd_scope*=`user`. Default: `/etc/systemd/system`. | - -You can create user timers for non-root services in combination with `become_user: '{{ my_user }}'`. Example: -``` -systemd_base_path: ~/.config/systemd/user -systemd_scope: user -timers: - timer-one: - timer_command: ... - timer_OnCalendar: ... - timer_user: '{{ my_user }}' - ... -``` - -## Working with shell redirection - -Shell redirection does not work out of the box. You have to work around that by calling `sh` or `bash`. -This won't work: `echo hello > /var/log/hello.log` -This will work: `/usr/bin/bash -c \"echo hello > /var/log/hello.log\"` - -Tip: Always use full paths. To see where `sh` or `bash` is stored on your system you have to use `which`: - -``` -[root@pizza ~]# which bash -/usr/bin/bash -``` diff --git a/docs/roles/debian.md b/docs/roles/debian.md new file mode 100644 index 000000000..80ad608b5 --- /dev/null +++ b/docs/roles/debian.md @@ -0,0 +1,2 @@ +# Debian Packages +This is a set of roles for installing packages on Debian Linux servers. We currently support Debian versions 11 (bullseye) and 12 (bookworm). diff --git a/roles/debian/README.md b/roles/debian/README.md new file mode 100644 index 000000000..80ad608b5 --- /dev/null +++ b/roles/debian/README.md @@ -0,0 +1,2 @@ +# Debian Packages +This is a set of roles for installing packages on Debian Linux servers. We currently support Debian versions 11 (bullseye) and 12 (bookworm). From 82e0582cbcc36207780203bef9ab07650184ac61 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 18:30:47 +0100 Subject: [PATCH 004/331] Meta role paths pr 2.x (#1222) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. --- docs/roles/debian/ce_deploy.md | 2 +- docs/roles/debian/ce_provision.md | 2 +- roles/debian/ce_deploy/README.md | 2 +- roles/debian/ce_deploy/defaults/main.yml | 2 +- roles/debian/ce_provision/README.md | 2 +- roles/debian/ce_provision/defaults/main.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index f96ab5935..66d7402b2 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -13,7 +13,7 @@ _ce_deploy: ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index f73428cbd..741ca5a6c 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -14,7 +14,7 @@ _ce_provision: ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index f96ab5935..66d7402b2 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -13,7 +13,7 @@ _ce_deploy: ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 7902af13f..92fefc0ed 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -5,7 +5,7 @@ _ce_deploy: ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index f73428cbd..741ca5a6c 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -14,7 +14,7 @@ _ce_provision: ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 3281cb118..f69f7c939 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -6,7 +6,7 @@ _ce_provision: ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3.11 -m venv + venv_command: /usr/bin/python3 -m venv # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user From e56ab86c8a32056d73bbbcbb504f3328b22d6231 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 19:28:35 +0100 Subject: [PATCH 005/331] Meta role paths pr 2.x (#1224) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. --- ce-dev/ce-dev.compose.yml | 2 +- roles/debian/ansible/tasks/main.yml | 23 ----------------------- 2 files changed, 1 insertion(+), 24 deletions(-) diff --git a/ce-dev/ce-dev.compose.yml b/ce-dev/ce-dev.compose.yml index 78a4ac0f8..227633579 100644 --- a/ce-dev/ce-dev.compose.yml +++ b/ce-dev/ce-dev.compose.yml @@ -7,7 +7,7 @@ x-ce_dev: - ce-dev/ansible/setup.yml services: controller: - image: codeenigma/ce-dev-1.x:devel + image: codeenigma/ce-dev-controller-1.x:devel x-ce_dev: {} volumes: - ../:/home/ce-dev/ce-provision diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index d47d0f5d9..9c7dc523d 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -1,27 +1,4 @@ --- -- name: Remove old PPA repository key for Ansible. - ansible.builtin.apt_key: - id: 93C4A3FD7BB9C367 - keyserver: keyserver.ubuntu.com - state: absent - -- name: Remove old repository for Ansible. - ansible.builtin.apt_repository: - repo: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" - state: absent - -# Linters need a newer version of PyYAML than the one that ships with Debian. -- name: Remove older PyYAML package. - ansible.builtin.apt: - pkg: python3-yaml - state: absent - when: ce_ansible.linters.enabled - -- name: Remove system Ansible. - ansible.builtin.apt: - pkg: ansible - state: absent - - name: Set up Python packages. ansible.builtin.include_role: name: debian/python_common From e8b58c18dcf547f3bfc3038b184576b9ce3cb615 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 10 Nov 2023 22:07:30 +0100 Subject: [PATCH 006/331] Meta role paths pr 2.x (#1226) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. * Grouping python activities together after role downloads. --- ce-dev/ce-dev.compose.yml | 2 +- roles/debian/ce_provision/tasks/main.yml | 75 ++++++++++++------------ 2 files changed, 39 insertions(+), 38 deletions(-) diff --git a/ce-dev/ce-dev.compose.yml b/ce-dev/ce-dev.compose.yml index 227633579..78a4ac0f8 100644 --- a/ce-dev/ce-dev.compose.yml +++ b/ce-dev/ce-dev.compose.yml @@ -7,7 +7,7 @@ x-ce_dev: - ce-dev/ansible/setup.yml services: controller: - image: codeenigma/ce-dev-controller-1.x:devel + image: codeenigma/ce-dev-1.x:devel x-ce_dev: {} volumes: - ../:/home/ce-dev/ce-provision diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 0eafc7290..dc7a0ada7 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -37,20 +37,6 @@ dest: "{{ _ce_provision_data_dir }}" src: "/home/{{ ce_provision.username }}/.ssh/{{ ce_provision.key_name }}" -# Install Python applications. -- name: Set up Python venv variables. - ansible.builtin.set_fact: - _venv_path: "{{ ce_provision.venv_path }}" - _venv_command: "{{ ce_provision.venv_command }}" - -- name: Install Ansible. - ansible.builtin.include_role: - name: debian/ansible - -- name: Install python_boto. - ansible.builtin.include_role: - name: debian/python_boto - # This prevent the original var to be re-evaluated when we move things around. - name: Register config repository. ansible.builtin.set_fact: @@ -61,17 +47,6 @@ pkg: ["git", "parallel"] state: present -- name: Ensure dnspython, certifi and pyopenssl are installed. - ansible.builtin.pip: - name: - - dnspython - - certifi - - pyopenssl - virtualenv: "{{ _venv_path }}" - virtualenv_command: "{{ _venv_command }}" - become: true - become_user: "{{ ce_provision.username }}" - # This is needed for "pushing" in certain cases. - name: Setup Git identity. ansible.builtin.command: @@ -140,13 +115,50 @@ path: "{{ ce_provision.local_dir }}/data" state: directory -- name: Ensure ownership of Ansible folder. +- name: Ensure ownership of controller user folder. ansible.builtin.file: path: "/home/{{ ce_provision.username }}" state: directory owner: "{{ ce_provision.username }}" recurse: true +# Must happen prior to Ansible install. +- name: Fetch additional roles not in Ansible Galaxy. + ansible.builtin.git: + repo: "{{ item.repo }}" + dest: "{{ ce_provision.local_dir }}/roles/contrib/{{ item.directory }}" + update: true + version: "{{ item.branch }}" + become: true + become_user: "{{ ce_provision.username }}" + with_items: "{{ ce_provision.contrib_roles }}" + when: ce_provision.contrib_roles | length > 0 + +# Install Python applications. +- name: Set up Python venv variables. + ansible.builtin.set_fact: + _venv_path: "{{ ce_provision.venv_path }}" + _venv_command: "{{ ce_provision.venv_command }}" + +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + +- name: Install python_boto. + ansible.builtin.include_role: + name: debian/python_boto + +- name: Ensure dnspython, certifi and pyopenssl are installed. + ansible.builtin.pip: + name: + - dnspython + - certifi + - pyopenssl + virtualenv: "{{ _venv_path }}" + virtualenv_command: "{{ _venv_command }}" + become: true + become_user: "{{ ce_provision.username }}" + - name: Check if ansible-galaxy custom requirements file exists. ansible.builtin.stat: path: "{{ ce_provision.galaxy_custom_requirements_file }}" @@ -165,17 +177,6 @@ become_user: "{{ ce_provision.username }}" when: _ce_provision_custom_galaxy_requirements.stat.exists -- name: Fetch additional roles not in Ansible Galaxy. - ansible.builtin.git: - repo: "{{ item.repo }}" - dest: "{{ ce_provision.local_dir }}/roles/contrib/{{ item.directory }}" - update: true - version: "{{ item.branch }}" - become: true - become_user: "{{ ce_provision.username }}" - with_items: "{{ ce_provision.contrib_roles }}" - when: ce_provision.contrib_roles | length > 0 - - name: Create systemd timer to upgrade mandatory ansible-galaxy collections. ansible.builtin.include_role: name: contrib/systemd_timers From 58988004688a51a271d237d75037636d7c24d5c9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Nov 2023 10:11:57 +0100 Subject: [PATCH 007/331] Meta role paths pr 2.x (#1228) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. * Grouping python activities together after role downloads. * Need a cache update to make the 'parallel' package avaiable. --- roles/debian/ce_provision/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index dc7a0ada7..bd0437879 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -46,6 +46,7 @@ ansible.builtin.apt: pkg: ["git", "parallel"] state: present + update_cache: true # This is needed for "pushing" in certain cases. - name: Setup Git identity. From 828bdfdf8e09499b6b910f0e7280d1e3f174dea3 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Nov 2023 11:21:43 +0100 Subject: [PATCH 008/331] Meta role paths pr 2.x (#1230) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. * Grouping python activities together after role downloads. * Need a cache update to make the 'parallel' package avaiable. * Updating path to ce_deploy role for galaxy requirements files. --- roles/debian/ce_deploy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 407b8bf99..8f7cf5953 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -147,7 +147,7 @@ - name: Copy mandatory ansible-galaxy requirements file to deploy server. ansible.builtin.copy: - src: "{{ ce_deploy.ce_provision_dir }}/roles/ce_deploy/meta/requirements-{{ ansible_distribution_major_version }}.yml" + src: "{{ ce_deploy.ce_provision_dir }}/roles/debian/ce_deploy/meta/requirements-{{ ansible_distribution_major_version }}.yml" dest: "{{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" owner: "{{ ce_deploy.username }}" group: "{{ ce_deploy.username }}" From 09d3f231c68bfbca95d8d164427a6b180aa4dc81 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Nov 2023 16:39:30 +0100 Subject: [PATCH 009/331] Meta role paths pr 2.x (#1232) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. * Grouping python activities together after role downloads. * Need a cache update to make the 'parallel' package avaiable. * Updating path to ce_deploy role for galaxy requirements files. * For shell scripts to work Ansible's python venv needs adding to path. --- roles/debian/ce_deploy/tasks/main.yml | 39 ++++++++++++++---------- roles/debian/ce_provision/tasks/main.yml | 6 ++++ 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 8f7cf5953..723ef9f57 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -21,6 +21,7 @@ system: true groups: "{{ ce_deploy.groups }}" when: ce_deploy.new_user + # @see https://github.com/ansible/ansible/issues/24862 - name: Ensure home ownership. ansible.builtin.file: @@ -36,20 +37,6 @@ dest: "{{ _ce_provision_data_dir }}" src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.key_name }}" -# Install Python applications. -- name: Set up Python venv variables. - ansible.builtin.set_fact: - _venv_path: "{{ ce_deploy.venv_path }}" - _venv_command: "{{ ce_deploy.venv_command }}" - -- name: Install Ansible. - ansible.builtin.include_role: - name: debian/ansible - -- name: Install python_boto. - ansible.builtin.include_role: - name: debian/python_boto - - name: Ensure Git is installed. ansible.builtin.apt: pkg: "git" @@ -118,7 +105,7 @@ - ansible.cfg when: ce_deploy_has_config_repo -- name: Symlink config folders to /etc/ansible. +- name: Symlink config folders to ce-deploy root. ansible.builtin.file: dest: "{{ ce_deploy.local_dir }}/{{ item }}" src: "{{ ce_deploy.local_dir }}/config/{{ item }}" @@ -133,13 +120,33 @@ path: "{{ ce_deploy.local_dir }}/data" state: directory -- name: Ensure ownership of Ansible folder. +- name: Ensure ownership of ce-deploy folder. ansible.builtin.file: path: "{{ ce_deploy.local_dir }}" state: directory owner: "{{ ce_deploy.username }}" recurse: true +# Install Python applications. +- name: Set up Python venv variables. + ansible.builtin.set_fact: + _venv_path: "{{ ce_deploy.venv_path }}" + _venv_command: "{{ ce_deploy.venv_command }}" + +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + +- name: Install python_boto. + ansible.builtin.include_role: + name: debian/python_boto + +- name: Add Python virtual environment to $PATH. + ansible.builtin.copy: + dest: /etc/profile.d/ansible-path.sh + content: "PATH=$PATH:{{ _venv_path }}/bin" + force: true + - name: Check if ansible-galaxy custom requirements file exists. ansible.builtin.stat: path: "{{ ce_deploy.galaxy_custom_requirements_file }}" diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index bd0437879..36b38bc8b 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -160,6 +160,12 @@ become: true become_user: "{{ ce_provision.username }}" +- name: Add Python virtual environment to $PATH. + ansible.builtin.copy: + dest: /etc/profile.d/ansible-path.sh + content: "PATH=$PATH:{{ _venv_path }}/bin" + force: true + - name: Check if ansible-galaxy custom requirements file exists. ansible.builtin.stat: path: "{{ ce_provision.galaxy_custom_requirements_file }}" From ac6afd968b2caf9af5b547eece81b8ffc41567ac Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Nov 2023 17:28:18 +0100 Subject: [PATCH 010/331] Meta role paths pr 2.x (#1234) * Updating paths in meta roles. * Excluding wazuh role from linting. * Removing exclusion from CI because it's in .ansible-lint. * Adding debian readme to complete sidebar in docs. * Being more generic with Python version for venv to avoid Debian version issues. * We shouldn't need to remove all the old Ansible system stuff any more. * Grouping python activities together after role downloads. * Need a cache update to make the 'parallel' package avaiable. * Updating path to ce_deploy role for galaxy requirements files. * For shell scripts to work Ansible's python venv needs adding to path. * Making sure _common.sh sources Ansible binary path in Python venv. --- ce-dev/ansible/setup.yml | 4 ++-- scripts/_common.sh | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ce-dev/ansible/setup.yml b/ce-dev/ansible/setup.yml index 0eaa1c605..a4e1378b7 100644 --- a/ce-dev/ansible/setup.yml +++ b/ce-dev/ansible/setup.yml @@ -15,7 +15,7 @@ - ansible.builtin.import_role: name: _init - ansible.builtin.import_role: - name: ce_provision + name: debian/ce_provision - name: Remove example git hooks. ansible.builtin.file: path: "/home/ce-dev/ce-provision/.git/hooks" @@ -26,7 +26,7 @@ dest: "/home/ce-dev/ce-provision/.git/hooks" state: link - ansible.builtin.import_role: - name: aws/aws_cli + name: debian/aws_cli - ansible.builtin.import_role: name: aws/aws_credentials - ansible.builtin.import_role: diff --git a/scripts/_common.sh b/scripts/_common.sh index ff4e51000..4c79e074f 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -22,14 +22,21 @@ LINT="no" ABSOLUTE_PLAYBOOK_PATH="no" PARALLEL_RUN="no" BOTO_PROFILE="" +# Ensure build workspace exists. if [ ! -d "$BUILD_WORKSPACE_BASE" ]; then mkdir "$BUILD_WORKSPACE_BASE" fi BUILD_TMP_DIR=$(mktemp -d -p "$BUILD_WORKSPACE_BASE") +# Ensure ce-provision data directory exists. ANSIBLE_DATA_DIR="$OWN_DIR/data" if [ ! -d "$ANSIBLE_DATA_DIR" ]; then mkdir "$ANSIBLE_DATA_DIR" fi +# Load the contents of profile.d in case we added items to $PATH there. +for f in /etc/profile.d/*; do +# shellcheck source=/dev/null + . "$f" +done # Parse options arguments. parse_options(){ while [ "${1:-}" ]; do From ce879bfd2cd9a5a85c43ac153f4fbfbd22c3de06 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 22 Nov 2023 14:19:14 +0100 Subject: [PATCH 011/331] Adding support for PHP session lifetime. (#1242) * Adding support for PHP session lifetime. * Updating module namespaces. --- roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 2 +- roles/aws/aws_ec2_with_eip/tasks/main.yml | 2 +- roles/aws/aws_iam_role/tasks/main.yml | 2 +- roles/aws/aws_iam_saml/tasks/main.yml | 8 ++++---- roles/aws/aws_s3_bucket/tasks/main.yml | 2 +- roles/debian/php-cli/defaults/main.yml | 1 + roles/debian/php-cli/templates/php.cli.ini.j2 | 2 +- roles/debian/php-fpm/defaults/main.yml | 1 + roles/debian/php-fpm/templates/php.fpm.ini.j2 | 2 +- 9 files changed, 12 insertions(+), 10 deletions(-) diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index f7e5dd8d9..62ac05cc5 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -291,7 +291,7 @@ - aws_ec2_autoscale_cluster.deploy_cluster - name: Gather IAM role info. - community.aws.iam_role_info: + amazon.aws.iam_role_info: profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" region: "{{ aws_ec2_autoscale_cluster.region }}" name: "{{ aws_ec2_autoscale_cluster.iam_role_name }}" diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml index 4ecf47a8c..df46827d6 100644 --- a/roles/aws/aws_ec2_with_eip/tasks/main.yml +++ b/roles/aws/aws_ec2_with_eip/tasks/main.yml @@ -13,7 +13,7 @@ _aws_ec2_with_eip_image_latest: "{{ _aws_ec2_with_eip_image.images | sort(attribute='creation_date') | last }}" - name: Gather IAM role info. - community.aws.iam_role_info: + amazon.aws.iam_role_info: profile: "{{ aws_ec2_with_eip.aws_profile }}" region: "{{ aws_ec2_with_eip.region }}" name: "{{ aws_ec2_with_eip.iam_role_name }}" diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 9c9e6349f..e82a47acb 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,5 +1,5 @@ - name: Create an IAM role. - community.aws.iam_role: + amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" name: "{{ aws_iam_role.name }}" assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" diff --git a/roles/aws/aws_iam_saml/tasks/main.yml b/roles/aws/aws_iam_saml/tasks/main.yml index 81fd4876d..fefb04709 100644 --- a/roles/aws/aws_iam_saml/tasks/main.yml +++ b/roles/aws/aws_iam_saml/tasks/main.yml @@ -23,7 +23,7 @@ register: _aws_account_info - name: Create a role for administrative access - community.aws.iam_role: + amazon.aws.iam_role: name: "{{ aws_iam_saml.admin_role }}" profile: "{{ aws_iam_saml.aws_profile }}" tags: "{{ aws_iam_saml.tags }}" @@ -37,7 +37,7 @@ - aws_iam_saml.admin_groups[0] is defined - name: Create a role for read-only access - community.aws.iam_role: + amazon.aws.iam_role: name: "{{ aws_iam_saml.readonly_role }}" profile: "{{ aws_iam_saml.aws_profile }}" tags: "{{ aws_iam_saml.tags }}" @@ -51,7 +51,7 @@ - aws_iam_saml.readonly_groups[0] is defined - name: Create a customer managed policy for billing access - community.aws.iam_managed_policy: + amazon.aws.iam_managed_policy: policy_name: "{{ aws_iam_saml.billing_policy }}" policy_description: "Custom policy for billing access" profile: "{{ aws_iam_saml.aws_profile }}" @@ -64,7 +64,7 @@ - aws_iam_saml.billing_groups[0] is defined - name: Create a role for billing access - community.aws.iam_role: + amazon.aws.iam_role: name: "{{ aws_iam_saml.billing_role }}" profile: "{{ aws_iam_saml.aws_profile }}" tags: "{{ aws_iam_saml.tags }}" diff --git a/roles/aws/aws_s3_bucket/tasks/main.yml b/roles/aws/aws_s3_bucket/tasks/main.yml index a6d6cf8f1..d5ae0ce71 100644 --- a/roles/aws/aws_s3_bucket/tasks/main.yml +++ b/roles/aws/aws_s3_bucket/tasks/main.yml @@ -8,7 +8,7 @@ register: _aws_s3_bucket_bucket - name: Create a matching policy. - community.aws.iam_managed_policy: + amazon.aws.iam_managed_policy: profile: "{{ aws_s3_bucket.aws_profile }}" region: "{{ aws_s3_bucket.region }}" policy_name: "{{ aws_s3_bucket.name }}" diff --git a/roles/debian/php-cli/defaults/main.yml b/roles/debian/php-cli/defaults/main.yml index 6460844e3..2e7efbeaa 100644 --- a/roles/debian/php-cli/defaults/main.yml +++ b/roles/debian/php-cli/defaults/main.yml @@ -20,6 +20,7 @@ php: upload_max_filesize: 200M max_file_uploads: 20 date_timezone: "Europe/London" + gc_maxlifetime: 1440 overrides: {} opcache: enable: 1 diff --git a/roles/debian/php-cli/templates/php.cli.ini.j2 b/roles/debian/php-cli/templates/php.cli.ini.j2 index 2bf91165c..abdcaba6c 100644 --- a/roles/debian/php-cli/templates/php.cli.ini.j2 +++ b/roles/debian/php-cli/templates/php.cli.ini.j2 @@ -1384,7 +1384,7 @@ session.gc_divisor = 1000 ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. ; http://php.net/session.gc-maxlifetime -session.gc_maxlifetime = 1440 +session.gc_maxlifetime = {{ php.cli.gc_maxlifetime }} ; NOTE: If you are using the subdirectory option for storing session files ; (see session.save_path above), then garbage collection does *not* diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 3e6a4d7d0..079312f3c 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -29,6 +29,7 @@ php: max_spare_servers: 3 process_idle_timeout: 10s max_requests: 500 + gc_maxlifetime: 1440 opcache: enable: 1 enable_cli: 0 diff --git a/roles/debian/php-fpm/templates/php.fpm.ini.j2 b/roles/debian/php-fpm/templates/php.fpm.ini.j2 index ccfe65dcc..b4d1185d9 100644 --- a/roles/debian/php-fpm/templates/php.fpm.ini.j2 +++ b/roles/debian/php-fpm/templates/php.fpm.ini.j2 @@ -1384,7 +1384,7 @@ session.gc_divisor = 1000 ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. ; http://php.net/session.gc-maxlifetime -session.gc_maxlifetime = 1440 +session.gc_maxlifetime = {{ php.fpm.gc_maxlifetime }} ; NOTE: If you are using the subdirectory option for storing session files ; (see session.save_path above), then garbage collection does *not* From ab5f5ffe743d62804739829b30972b257c427a8e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 22 Nov 2023 18:20:34 +0100 Subject: [PATCH 012/331] Improving AWS subnet docs. (#1246) --- docs/roles/aws/aws_ec2_autoscale_cluster.md | 2 ++ docs/roles/aws/aws_rds.md | 1 + docs/roles/aws/aws_vpc_subnet.md | 1 + roles/aws/aws_ec2_autoscale_cluster/README.md | 2 ++ roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml | 2 ++ roles/aws/aws_rds/README.md | 1 + roles/aws/aws_rds/defaults/main.yml | 1 + roles/aws/aws_vpc_subnet/README.md | 1 + roles/aws/aws_vpc_subnet/defaults/main.yml | 1 + 9 files changed, 12 insertions(+) diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 5e6909609..49f419391 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -36,6 +36,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md index e89cd6e74..1e5287a15 100644 --- a/docs/roles/aws/aws_rds.md +++ b/docs/roles/aws/aws_rds.md @@ -19,6 +19,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/docs/roles/aws/aws_vpc_subnet.md b/docs/roles/aws/aws_vpc_subnet.md index 5d97d303a..1b4ef012b 100644 --- a/docs/roles/aws/aws_vpc_subnet.md +++ b/docs/roles/aws/aws_vpc_subnet.md @@ -11,6 +11,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 5e6909609..49f419391 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -36,6 +36,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 5bdd39aef..9af962f5c 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -17,6 +17,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/roles/aws/aws_rds/README.md b/roles/aws/aws_rds/README.md index e89cd6e74..1e5287a15 100644 --- a/roles/aws/aws_rds/README.md +++ b/roles/aws/aws_rds/README.md @@ -19,6 +19,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/roles/aws/aws_rds/defaults/main.yml b/roles/aws/aws_rds/defaults/main.yml index 96b4d4914..faa3ee5bb 100644 --- a/roles/aws/aws_rds/defaults/main.yml +++ b/roles/aws/aws_rds/defaults/main.yml @@ -2,6 +2,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/roles/aws/aws_vpc_subnet/README.md b/roles/aws/aws_vpc_subnet/README.md index 5d97d303a..1b4ef012b 100644 --- a/roles/aws/aws_vpc_subnet/README.md +++ b/roles/aws/aws_vpc_subnet/README.md @@ -11,6 +11,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED diff --git a/roles/aws/aws_vpc_subnet/defaults/main.yml b/roles/aws/aws_vpc_subnet/defaults/main.yml index 1e29a7d01..e72b3ae64 100644 --- a/roles/aws/aws_vpc_subnet/defaults/main.yml +++ b/roles/aws/aws_vpc_subnet/defaults/main.yml @@ -3,6 +3,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED From 9a13ecabc6fac1a3141e0b2b8245ce66303c6015 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 22 Nov 2023 19:57:44 +0100 Subject: [PATCH 013/331] Sg data role pr 2.x (#1248) * Making SG handling consistent with a new role. * Updating documentation. --- docs/_Sidebar.md | 1 + docs/roles/aws/aws_ec2_autoscale_cluster.md | 11 ++++--- docs/roles/aws/aws_ec2_with_eip.md | 2 +- docs/roles/aws/aws_efs.md | 3 +- docs/roles/aws/aws_elasticache.md | 2 +- docs/roles/aws/aws_opensearch.md | 2 +- docs/roles/aws/aws_rds.md | 3 +- docs/roles/aws/aws_security_groups.md | 32 +++++++++++++++++++ docs/roles/debian/gitlab_runner.md | 2 +- roles/aws/aws_ec2_autoscale_cluster/README.md | 11 ++++--- .../defaults/main.yml | 11 ++++--- .../aws_ec2_autoscale_cluster/tasks/main.yml | 32 +++++++++++++++++-- roles/aws/aws_ec2_with_eip/README.md | 2 +- roles/aws/aws_ec2_with_eip/defaults/main.yml | 2 +- roles/aws/aws_ec2_with_eip/tasks/main.yml | 15 +++++++-- roles/aws/aws_efs/README.md | 3 +- roles/aws/aws_efs/defaults/main.yml | 3 +- roles/aws/aws_efs/tasks/main.yml | 19 +++++------ roles/aws/aws_efs/tasks/security_group.yml | 11 ------- roles/aws/aws_efs/tasks/subnet.yml | 1 + roles/aws/aws_efs/tasks/target.yml | 4 ++- roles/aws/aws_elasticache/README.md | 2 +- roles/aws/aws_elasticache/defaults/main.yml | 2 +- roles/aws/aws_elasticache/tasks/main.yml | 12 ++++++- roles/aws/aws_elb/defaults/main.yml | 2 +- roles/aws/aws_elb/tasks/main.yml | 12 ++++++- roles/aws/aws_opensearch/README.md | 2 +- roles/aws/aws_opensearch/defaults/main.yml | 2 +- roles/aws/aws_opensearch/tasks/main.yml | 14 +++++++- roles/aws/aws_rds/README.md | 3 +- roles/aws/aws_rds/defaults/main.yml | 3 +- roles/aws/aws_rds/tasks/main.yml | 22 ++++++------- roles/aws/aws_rds/tasks/security_group.yml | 12 ------- roles/aws/aws_security_groups/README.md | 32 +++++++++++++++++++ .../aws/aws_security_groups/defaults/main.yml | 8 +++++ roles/aws/aws_security_groups/tasks/main.yml | 30 +++++++++++++++++ roles/debian/gitlab_runner/README.md | 2 +- roles/debian/gitlab_runner/defaults/main.yml | 2 +- roles/debian/gitlab_runner/tasks/main.yml | 13 ++++++++ .../gitlab_runner/templates/fargate.toml.j2 | 2 +- 40 files changed, 256 insertions(+), 93 deletions(-) create mode 100644 docs/roles/aws/aws_security_groups.md delete mode 100644 roles/aws/aws_efs/tasks/security_group.yml delete mode 100644 roles/aws/aws_rds/tasks/security_group.yml create mode 100644 roles/aws/aws_security_groups/README.md create mode 100644 roles/aws/aws_security_groups/defaults/main.yml create mode 100644 roles/aws/aws_security_groups/tasks/main.yml diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 4f93d9c12..16c64086b 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -22,6 +22,7 @@ - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) - [AWS RDS](/roles/aws/aws_rds) - [AWS S3 Bucket](/roles/aws/aws_s3_bucket) + - [AWS Security Groups](/roles/aws/aws_security_groups) - [AWS SNS](/roles/aws/aws_sns) - [VPC](/roles/aws/aws_vpc) - [Update main route for a given VPC](/roles/aws/aws_vpc_route) diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 49f419391..00f0cc329 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -142,11 +142,12 @@ aws_ec2_autoscale_cluster: max_size: 8 # Security groups for the instances cluster. # An internal one will be created automatically, use these vars to provide additional groups - cluster_security_groups: [] # used in launch template, must be SG IDs - alb_security_groups: [] # edge case, the module supports SG names or IDs - efs_security_groups: [] # must be SG names because the role uses the name to find the ID - rds_security_groups: [] # must be SG names because the role uses the name to find the ID - elasticache_security_groups: [] # must be SG IDs + # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary + cluster_security_groups: [] + alb_security_groups: [] + efs_security_groups: [] + rds_security_groups: [] + elasticache_security_groups: [] # ALB health checks - these are health check settings applied to the load balancer alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index e8eedfb1a..e7dbd666d 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -31,7 +31,7 @@ aws_ec2_with_eip: root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/docs/roles/aws/aws_efs.md b/docs/roles/aws/aws_efs.md index 1ebdcbe4b..c197667b0 100644 --- a/docs/roles/aws/aws_efs.md +++ b/docs/roles/aws/aws_efs.md @@ -19,8 +19,7 @@ aws_efs: wait: true # Subnets names. subnets: [] - # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role # Whether to encrypt the volume or not. encrypt: false backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance. diff --git a/docs/roles/aws/aws_elasticache.md b/docs/roles/aws/aws_elasticache.md index 64f1190c2..88b29713d 100644 --- a/docs/roles/aws/aws_elasticache.md +++ b/docs/roles/aws/aws_elasticache.md @@ -22,7 +22,7 @@ aws_elasticache: elasticache_node_type: cache.t3.medium elasticache_nodes: 1 elasticache_port: 11211 - elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role + elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role #zone: eu-west-1a # AZ where the cluster will reside ``` diff --git a/docs/roles/aws/aws_opensearch.md b/docs/roles/aws/aws_opensearch.md index e5fcad7c2..c27085bfa 100644 --- a/docs/roles/aws/aws_opensearch.md +++ b/docs/roles/aws/aws_opensearch.md @@ -25,7 +25,7 @@ aws_opensearch: subnets: - "subnet-aaaaaaaa" - "subnet-bbbbbbbb" - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role automated_snapshot_start_hour: 3 auto_tune: "DISABLED" # not supported when t3's are used # List of maintenance schedules to use if auto_tune is set to "ENABLED": diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md index 1e5287a15..a1ce80f9c 100644 --- a/docs/roles/aws/aws_rds.md +++ b/docs/roles/aws/aws_rds.md @@ -42,8 +42,7 @@ aws_rds: master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere publicly_accessible: false # Wether to allocate an IP address - # SG names - ID lookup is automatic. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role rds_cloudwatch_alarms: # name will have the RDS identifier prepended. - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/docs/roles/aws/aws_security_groups.md b/docs/roles/aws/aws_security_groups.md new file mode 100644 index 000000000..a99623a50 --- /dev/null +++ b/docs/roles/aws/aws_security_groups.md @@ -0,0 +1,32 @@ +# AWS Security Groups +This is a helper role for managing AWS security groups. Security groups are created in the [`aws_vpc`](https://github.com/codeenigma/ce-provision/tree/2.x/roles/aws/aws_vpc) role, however different roles and modules require different data when working with security groups. This role allows you to feed in a list of security group names and get back, in private variables, the following data for later use in other places: + +```yaml +- name: Set up lists. + ansible.builtin.set_fact: + _aws_security_groups: [] # a list of all the security group data requested + _aws_security_group_ids: [] # a list of security group IDs + _aws_security_group_names: "{{ aws_security_groups.group_names }}" # a list of security group names (in a new var for consistency) + _aws_security_group_list: [] # a list in the requested format, either a list of names or a list of IDs, so allow for calling a consistent variable name +``` + +This role is used by other roles to provide a consistent experience for developers, you can always provide a list of security group names, no matter what the module being called within a role requires. + + + + + +## Default variables +```yaml +--- +aws_security_groups: + aws_profile: "{{ _aws_profile }}" + region: "{{ _aws_region }}" + group_names: + - ssh_open + - web_open + return_type: ids # can be either 'names' or 'ids' + +``` + + diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md index 952f48f3e..52554ced5 100644 --- a/docs/roles/debian/gitlab_runner.md +++ b/docs/roles/debian/gitlab_runner.md @@ -50,7 +50,7 @@ gitlab_runner: cluster: "my-cluster" # ECS cluster name region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID - security_group: "sg-abcdef123456" # SG ID + security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest public_ip: "false" # if your containers need a public IP assigning version: "1.4.0" # Fargate platform version diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 49f419391..00f0cc329 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -142,11 +142,12 @@ aws_ec2_autoscale_cluster: max_size: 8 # Security groups for the instances cluster. # An internal one will be created automatically, use these vars to provide additional groups - cluster_security_groups: [] # used in launch template, must be SG IDs - alb_security_groups: [] # edge case, the module supports SG names or IDs - efs_security_groups: [] # must be SG names because the role uses the name to find the ID - rds_security_groups: [] # must be SG names because the role uses the name to find the ID - elasticache_security_groups: [] # must be SG IDs + # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary + cluster_security_groups: [] + alb_security_groups: [] + efs_security_groups: [] + rds_security_groups: [] + elasticache_security_groups: [] # ALB health checks - these are health check settings applied to the load balancer alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 9af962f5c..5c4c4ace3 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -123,11 +123,12 @@ aws_ec2_autoscale_cluster: max_size: 8 # Security groups for the instances cluster. # An internal one will be created automatically, use these vars to provide additional groups - cluster_security_groups: [] # used in launch template, must be SG IDs - alb_security_groups: [] # edge case, the module supports SG names or IDs - efs_security_groups: [] # must be SG names because the role uses the name to find the ID - rds_security_groups: [] # must be SG names because the role uses the name to find the ID - elasticache_security_groups: [] # must be SG IDs + # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary + cluster_security_groups: [] + alb_security_groups: [] + efs_security_groups: [] + rds_security_groups: [] + elasticache_security_groups: [] # ALB health checks - these are health check settings applied to the load balancer alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 62ac05cc5..d92e56a95 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -116,7 +116,7 @@ elasticache_node_type: "{{ aws_ec2_autoscale_cluster.elasticache_node_type }}" elasticache_nodes: "{{ aws_ec2_autoscale_cluster.elasticache_nodes }}" elasticache_port: "{{ aws_ec2_autoscale_cluster.elasticache_port }}" - elasticache_security_groups: "{{ aws_ec2_autoscale_cluster.elasticache_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}" + elasticache_security_groups: "{{ aws_ec2_autoscale_cluster.elasticache_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_name] }}" when: - aws_ec2_autoscale_cluster.elasticache @@ -376,6 +376,18 @@ - aws_ec2_autoscale_cluster | length - aws_ec2_autoscale_cluster.create_elb +- name: Generate security group information for the ALB. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + region: "{{ aws_ec2_autoscale_cluster.region }}" + group_names: "{{ aws_ec2_autoscale_cluster.alb_security_groups }}" + return_type: ids + when: + - aws_ec2_autoscale_cluster.alb_security_groups | length > 0 + - aws_ec2_autoscale_cluster.create_elb + - name: Create the ALB. amazon.aws.elb_application_lb: name: "{{ aws_ec2_autoscale_cluster.name }}" @@ -384,7 +396,7 @@ state: "{{ aws_ec2_autoscale_cluster.state }}" tags: "{{ aws_ec2_autoscale_cluster.tags }}" subnets: "{{ _aws_ec2_autoscale_cluster_public_subnets_ids }}" - security_groups: "{{ aws_ec2_autoscale_cluster.alb_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}" + security_groups: "{{ _aws_security_group_list + [_aws_ec2_autoscale_cluster_security_group.group_id] }}" listeners: "{{ _aws_ec2_autoscale_cluster_listeners }}" idle_timeout: "{{ aws_ec2_autoscale_cluster.alb_idle_timeout }}" register: _aws_ec2_autoscale_cluster_alb @@ -410,6 +422,20 @@ with_items: "{{ aws_ec2_autoscale_cluster.ssl_extra_certificate_ARNs }}" # EC2 - BUILD ASG +- name: Generate security group information for the ASG. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + region: "{{ aws_ec2_autoscale_cluster.region }}" + group_names: "{{ aws_ec2_autoscale_cluster.cluster_security_groups }}" + return_type: ids + when: + - aws_ec2_autoscale_cluster.cluster_security_groups | length > 0 + - aws_ec2_autoscale_cluster.asg_refresh + - aws_ec2_autoscale_cluster.type == "ec2" + - aws_ec2_autoscale_cluster.deploy_cluster + - name: Create launch template. community.aws.ec2_launch_template: profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" @@ -427,7 +453,7 @@ delete_on_termination: "{{ aws_ec2_autoscale_cluster.instance_nic_delete_on_termination }}" subnet_id: "{{ subnet_id }}" # picked randomly from _aws_ec2_autoscale_cluster_subnets_ids, see with_random_choice device_index: 0 # must be 0 - see https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html#change-network-interface - groups: "{{ aws_ec2_autoscale_cluster.cluster_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}" + groups: "{{ _aws_security_group_list + [_aws_ec2_autoscale_cluster_security_group.group_id] }}" block_device_mappings: - ebs: delete_on_termination: "{{ aws_ec2_autoscale_cluster.root_volume_delete_on_termination }}" diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md index e8eedfb1a..e7dbd666d 100644 --- a/roles/aws/aws_ec2_with_eip/README.md +++ b/roles/aws/aws_ec2_with_eip/README.md @@ -31,7 +31,7 @@ aws_ec2_with_eip: root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/roles/aws/aws_ec2_with_eip/defaults/main.yml b/roles/aws/aws_ec2_with_eip/defaults/main.yml index fdfb30106..caf58f7a6 100644 --- a/roles/aws/aws_ec2_with_eip/defaults/main.yml +++ b/roles/aws/aws_ec2_with_eip/defaults/main.yml @@ -21,7 +21,7 @@ aws_ec2_with_eip: root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml index df46827d6..06aaec917 100644 --- a/roles/aws/aws_ec2_with_eip/tasks/main.yml +++ b/roles/aws/aws_ec2_with_eip/tasks/main.yml @@ -90,6 +90,17 @@ dest: "{{ _ce_provision_data_dir + '/' + _aws_resource_name + '/ec2-subnet-id' }}" force: true +# Convert security group names to IDs for consistency. +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_ec2_with_eip.aws_profile }}" + region: "{{ aws_ec2_with_eip.region }}" + group_names: "{{ aws_ec2_with_eip.security_groups }}" + return_type: ids + when: aws_ec2_with_eip.security_groups | length > 0 + # Do not create an instance if _aws_hostname is not an EC2 generated address unless `force: true` - name: Create new EC2 instance. amazon.aws.ec2_instance: @@ -105,7 +116,7 @@ vpc_subnet_id: "{{ _aws_ec2_with_eip_vpc_subnet_id }}" name: "{{ aws_ec2_with_eip.instance_name }}" tags: "{{ aws_ec2_with_eip.tags }}" - security_groups: "{{ aws_ec2_with_eip.security_groups }}" + security_groups: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role ebs_optimized: "{{ aws_ec2_with_eip.ebs_optimized }}" volumes: - device_name: /dev/xvda @@ -131,7 +142,7 @@ vpc_subnet_id: "{{ _aws_ec2_with_eip_vpc_subnet_id }}" name: "{{ aws_ec2_with_eip.instance_name }}" tags: "{{ aws_ec2_with_eip.tags }}" - security_groups: "{{ aws_ec2_with_eip.security_groups }}" + security_groups: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role ebs_optimized: "{{ aws_ec2_with_eip.ebs_optimized }}" volumes: - device_name: /dev/xvda diff --git a/roles/aws/aws_efs/README.md b/roles/aws/aws_efs/README.md index 1ebdcbe4b..c197667b0 100644 --- a/roles/aws/aws_efs/README.md +++ b/roles/aws/aws_efs/README.md @@ -19,8 +19,7 @@ aws_efs: wait: true # Subnets names. subnets: [] - # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role # Whether to encrypt the volume or not. encrypt: false backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance. diff --git a/roles/aws/aws_efs/defaults/main.yml b/roles/aws/aws_efs/defaults/main.yml index 45ce6524d..0b9f700eb 100644 --- a/roles/aws/aws_efs/defaults/main.yml +++ b/roles/aws/aws_efs/defaults/main.yml @@ -9,8 +9,7 @@ aws_efs: wait: true # Subnets names. subnets: [] - # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role # Whether to encrypt the volume or not. encrypt: false backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance. diff --git a/roles/aws/aws_efs/tasks/main.yml b/roles/aws/aws_efs/tasks/main.yml index 105a65dff..6e07019b5 100644 --- a/roles/aws/aws_efs/tasks/main.yml +++ b/roles/aws/aws_efs/tasks/main.yml @@ -1,6 +1,13 @@ -- name: Reset security groups info - ansible.builtin.set_fact: - _aws_efs_security_group_ids: [] +--- +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_efs.aws_profile }}" + region: "{{ aws_efs.region }}" + group_names: "{{ aws_efs.security_groups }}" + return_type: ids + when: aws_efs.security_groups | length > 0 - name: Reset subnet ids info ansible.builtin.set_fact: @@ -10,12 +17,6 @@ ansible.builtin.set_fact: _aws_efs_targets: {} -- name: Gather security groups info. - ansible.builtin.include_tasks: security_group.yml - with_items: "{{ aws_efs.security_groups }}" - loop_control: - loop_var: security_group - - name: Gather subnets info. ansible.builtin.include_tasks: subnet.yml with_items: "{{ aws_efs.subnets }}" diff --git a/roles/aws/aws_efs/tasks/security_group.yml b/roles/aws/aws_efs/tasks/security_group.yml deleted file mode 100644 index 564708437..000000000 --- a/roles/aws/aws_efs/tasks/security_group.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Gather security group info. - amazon.aws.ec2_security_group_info: - profile: "{{ aws_efs.aws_profile }}" - region: "{{ aws_efs.region }}" - filters: - group_name: "{{ security_group }}" - register: _aws_efs_security_group_info - -- name: Add security group id. - ansible.builtin.set_fact: - _aws_efs_security_group_ids: "{{ _aws_efs_security_group_ids + [_aws_efs_security_group_info.security_groups[0].group_id] }}" diff --git a/roles/aws/aws_efs/tasks/subnet.yml b/roles/aws/aws_efs/tasks/subnet.yml index 75eed3f5a..5daa24026 100644 --- a/roles/aws/aws_efs/tasks/subnet.yml +++ b/roles/aws/aws_efs/tasks/subnet.yml @@ -1,3 +1,4 @@ +--- - name: Gather subnet information amazon.aws.ec2_vpc_subnet_info: profile: "{{ aws_efs.aws_profile }}" diff --git a/roles/aws/aws_efs/tasks/target.yml b/roles/aws/aws_efs/tasks/target.yml index 89278b7ec..117b9161f 100644 --- a/roles/aws/aws_efs/tasks/target.yml +++ b/roles/aws/aws_efs/tasks/target.yml @@ -1,3 +1,5 @@ +--- +# _aws_security_group_list variable populated by the aws_security_groups role. - name: Add subnet to the list of EFS targets. ansible.builtin.set_fact: - _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_efs_security_group_ids }}) }}" + _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list }}) }}" diff --git a/roles/aws/aws_elasticache/README.md b/roles/aws/aws_elasticache/README.md index 64f1190c2..88b29713d 100644 --- a/roles/aws/aws_elasticache/README.md +++ b/roles/aws/aws_elasticache/README.md @@ -22,7 +22,7 @@ aws_elasticache: elasticache_node_type: cache.t3.medium elasticache_nodes: 1 elasticache_port: 11211 - elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role + elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role #zone: eu-west-1a # AZ where the cluster will reside ``` diff --git a/roles/aws/aws_elasticache/defaults/main.yml b/roles/aws/aws_elasticache/defaults/main.yml index cc767ff3f..5eded26e6 100644 --- a/roles/aws/aws_elasticache/defaults/main.yml +++ b/roles/aws/aws_elasticache/defaults/main.yml @@ -14,5 +14,5 @@ aws_elasticache: elasticache_node_type: cache.t3.medium elasticache_nodes: 1 elasticache_port: 11211 - elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role + elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role #zone: eu-west-1a # AZ where the cluster will reside \ No newline at end of file diff --git a/roles/aws/aws_elasticache/tasks/main.yml b/roles/aws/aws_elasticache/tasks/main.yml index 3bdd150a1..83c64efd8 100644 --- a/roles/aws/aws_elasticache/tasks/main.yml +++ b/roles/aws/aws_elasticache/tasks/main.yml @@ -1,4 +1,14 @@ --- +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_elasticache.aws_profile }}" + region: "{{ aws_elasticache.region }}" + group_names: "{{ aws_elasticache.elasticache_security_groups }}" + return_type: ids + when: aws_elasticache.elasticache_security_groups | length > 0 + - name: Create ElastiCache subnet group. community.aws.elasticache_subnet_group: name: "{{ aws_elasticache.name }}" @@ -24,7 +34,7 @@ node_type: "{{ aws_elasticache.elasticache_node_type }}" num_nodes: "{{ aws_elasticache.elasticache_nodes }}" cache_port: "{{ aws_elasticache.elasticache_port }}" - security_group_ids: "{{ aws_elasticache.elasticache_security_groups }}" + security_group_ids: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role zone: "{{ aws_elasticache.zone | default(omit) }}" # @TODO grab the endpoint data for the memcached client role \ No newline at end of file diff --git a/roles/aws/aws_elb/defaults/main.yml b/roles/aws/aws_elb/defaults/main.yml index c5bb2f2a6..ec551d142 100644 --- a/roles/aws/aws_elb/defaults/main.yml +++ b/roles/aws/aws_elb/defaults/main.yml @@ -23,7 +23,7 @@ aws_elb: zone: "example.com" record: "*.{{ _domain_name }}" aws_profile: "{{ _aws_profile }}" # Not necessarily the same as the "target" one. - elb_security_groups: [] + elb_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role target_groups: # list of target groups - name: example-target-group protocol: http diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 1fc867bf1..4c4416338 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -109,6 +109,16 @@ - aws_elb is defined - aws_elb | length +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_elb.aws_profile }}" + region: "{{ aws_elb.region }}" + group_names: "{{ aws_elb.elb_security_groups }}" + return_type: ids + when: aws_elb.elb_security_groups | length > 0 + - name: Create the ALB. amazon.aws.elb_application_lb: name: "{{ aws_elb.name }}" @@ -117,7 +127,7 @@ state: "{{ aws_elb.state }}" tags: "{{ aws_elb.tags }}" subnets: "{{ _aws_ec2_elb_public_subnets_ids }}" - security_groups: "{{ aws_elb.elb_security_groups }}" + security_groups: "{{ _aws_security_group_list }}" # accepts names or IDs, variable populated by the aws_security_groups role listeners: "{{ _aws_ec2_listeners }}" idle_timeout: "{{ aws_elb.idle_timeout }}" ip_address_type: "{{ aws_elb.ip_address_type }}" diff --git a/roles/aws/aws_opensearch/README.md b/roles/aws/aws_opensearch/README.md index e5fcad7c2..c27085bfa 100644 --- a/roles/aws/aws_opensearch/README.md +++ b/roles/aws/aws_opensearch/README.md @@ -25,7 +25,7 @@ aws_opensearch: subnets: - "subnet-aaaaaaaa" - "subnet-bbbbbbbb" - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role automated_snapshot_start_hour: 3 auto_tune: "DISABLED" # not supported when t3's are used # List of maintenance schedules to use if auto_tune is set to "ENABLED": diff --git a/roles/aws/aws_opensearch/defaults/main.yml b/roles/aws/aws_opensearch/defaults/main.yml index 52d27b043..4ade9b84f 100644 --- a/roles/aws/aws_opensearch/defaults/main.yml +++ b/roles/aws/aws_opensearch/defaults/main.yml @@ -16,7 +16,7 @@ aws_opensearch: subnets: - "subnet-aaaaaaaa" - "subnet-bbbbbbbb" - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role automated_snapshot_start_hour: 3 auto_tune: "DISABLED" # not supported when t3's are used # List of maintenance schedules to use if auto_tune is set to "ENABLED": diff --git a/roles/aws/aws_opensearch/tasks/main.yml b/roles/aws/aws_opensearch/tasks/main.yml index 7c3023790..f43b79bb0 100644 --- a/roles/aws/aws_opensearch/tasks/main.yml +++ b/roles/aws/aws_opensearch/tasks/main.yml @@ -1,3 +1,15 @@ +--- +# Convert security group names to IDs for consistency. +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_opensearch.aws_profile }}" + region: "{{ aws_opensearch.region }}" + group_names: "{{ aws_opensearch.security_groups }}" + return_type: ids + when: aws_opensearch.security_groups | length > 0 + - name: Get the current AWS account caller identity information amazon.aws.aws_caller_info: profile: "{{ aws_opensearch.aws_profile }}" @@ -30,7 +42,7 @@ access_policies: "{{ lookup('template', 'policy.json.j2') }}" vpc_options: subnets: "{{ aws_opensearch.subnets }}" - security_groups: "{{ aws_opensearch.security_groups }}" + security_groups: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role snapshot_options: automated_snapshot_start_hour: "{{ aws_opensearch.automated_snapshot_start_hour }}" auto_tune_options: diff --git a/roles/aws/aws_rds/README.md b/roles/aws/aws_rds/README.md index 1e5287a15..a1ce80f9c 100644 --- a/roles/aws/aws_rds/README.md +++ b/roles/aws/aws_rds/README.md @@ -42,8 +42,7 @@ aws_rds: master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere publicly_accessible: false # Wether to allocate an IP address - # SG names - ID lookup is automatic. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role rds_cloudwatch_alarms: # name will have the RDS identifier prepended. - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/roles/aws/aws_rds/defaults/main.yml b/roles/aws/aws_rds/defaults/main.yml index faa3ee5bb..81f4214d3 100644 --- a/roles/aws/aws_rds/defaults/main.yml +++ b/roles/aws/aws_rds/defaults/main.yml @@ -25,8 +25,7 @@ aws_rds: master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere publicly_accessible: false # Wether to allocate an IP address - # SG names - ID lookup is automatic. - security_groups: [] + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role rds_cloudwatch_alarms: # name will have the RDS identifier prepended. - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 9353f16d7..416dd30b4 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -8,16 +8,6 @@ description: "{{ aws_rds.description }}" register: _aws_rds_rds_subnet_group -- name: Reset security groups info. - ansible.builtin.set_fact: - _aws_rds_security_group_ids: [] - -- name: Gather security groups info. - ansible.builtin.include_tasks: security_group.yml - with_items: "{{ aws_rds.security_groups }}" - loop_control: - loop_var: security_group - - name: Create RDS parameter group amazon.aws.rds_param_group: state: present @@ -73,6 +63,16 @@ - "'aurora' in aws_rds.engine" - aws_rds.aurora_reader +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + group_names: "{{ aws_rds.security_groups }}" + return_type: ids + when: aws_rds.security_groups | length > 0 + - name: Create RDS instance amazon.aws.rds_instance: db_instance_identifier: "{{ aws_rds.name }}" @@ -94,7 +94,7 @@ #enable_performance_insights: undefined # not required. Whether to enable Performance Insights for the DB instance. allocated_storage: "{{ aws_rds.allocated_storage }}" max_allocated_storage: "{{ aws_rds.max_allocated_storage }}" - vpc_security_group_ids: "{{ _aws_rds_security_group_ids }}" + vpc_security_group_ids: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role profile: "{{ aws_rds.aws_profile }}" tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name }) }}" allow_major_version_upgrade: false diff --git a/roles/aws/aws_rds/tasks/security_group.yml b/roles/aws/aws_rds/tasks/security_group.yml deleted file mode 100644 index 6359fc7cf..000000000 --- a/roles/aws/aws_rds/tasks/security_group.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: Gather security group info. - amazon.aws.ec2_security_group_info: - profile: "{{ aws_rds.aws_profile }}" - region: "{{ aws_rds.region }}" - filters: - group_name: "{{ security_group }}" - vpc_id: "{{ _aws_rds_rds_subnet_group.subnet_group.vpc_id }}" - register: _aws_rds_security_group_info - -- name: Add security group id. - ansible.builtin.set_fact: - _aws_rds_security_group_ids: "{{ _aws_rds_security_group_ids + [ _aws_rds_security_group_info.security_groups[0].group_id ] }}" diff --git a/roles/aws/aws_security_groups/README.md b/roles/aws/aws_security_groups/README.md new file mode 100644 index 000000000..a99623a50 --- /dev/null +++ b/roles/aws/aws_security_groups/README.md @@ -0,0 +1,32 @@ +# AWS Security Groups +This is a helper role for managing AWS security groups. Security groups are created in the [`aws_vpc`](https://github.com/codeenigma/ce-provision/tree/2.x/roles/aws/aws_vpc) role, however different roles and modules require different data when working with security groups. This role allows you to feed in a list of security group names and get back, in private variables, the following data for later use in other places: + +```yaml +- name: Set up lists. + ansible.builtin.set_fact: + _aws_security_groups: [] # a list of all the security group data requested + _aws_security_group_ids: [] # a list of security group IDs + _aws_security_group_names: "{{ aws_security_groups.group_names }}" # a list of security group names (in a new var for consistency) + _aws_security_group_list: [] # a list in the requested format, either a list of names or a list of IDs, so allow for calling a consistent variable name +``` + +This role is used by other roles to provide a consistent experience for developers, you can always provide a list of security group names, no matter what the module being called within a role requires. + + + + + +## Default variables +```yaml +--- +aws_security_groups: + aws_profile: "{{ _aws_profile }}" + region: "{{ _aws_region }}" + group_names: + - ssh_open + - web_open + return_type: ids # can be either 'names' or 'ids' + +``` + + diff --git a/roles/aws/aws_security_groups/defaults/main.yml b/roles/aws/aws_security_groups/defaults/main.yml new file mode 100644 index 000000000..948f9f0ba --- /dev/null +++ b/roles/aws/aws_security_groups/defaults/main.yml @@ -0,0 +1,8 @@ +--- +aws_security_groups: + aws_profile: "{{ _aws_profile }}" + region: "{{ _aws_region }}" + group_names: + - ssh_open + - web_open + return_type: ids # can be either 'names' or 'ids' diff --git a/roles/aws/aws_security_groups/tasks/main.yml b/roles/aws/aws_security_groups/tasks/main.yml new file mode 100644 index 000000000..1076d586f --- /dev/null +++ b/roles/aws/aws_security_groups/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Set up lists. + ansible.builtin.set_fact: + _aws_security_groups: [] + _aws_security_group_ids: [] + _aws_security_group_names: "{{ aws_security_groups.group_names }}" + _aws_security_group_list: [] + +- name: Fetch groups. + amazon.aws.ec2_security_group_info: + profile: "{{ aws_security_groups.aws_profile }}" + region: "{{ aws_security_groups.region }}" + filters: + group-name: "{{ _aws_security_group_names }}" + register: _aws_security_groups + +- name: Create list of security group IDs. + ansible.builtin.set_fact: + _aws_security_group_ids: "{{ _aws_security_group_ids + [ item.group_id ] }}" + with_items: "{{ _aws_security_groups.security_groups }}" + +- name: Set return variable to SG names. + ansible.builtin.set_fact: + _aws_security_group_list: "{{ _aws_security_group_names }}" + when: aws_security_groups.return_type == 'names' + +- name: Set return variable to SG IDs. + ansible.builtin.set_fact: + _aws_security_group_list: "{{ _aws_security_group_ids }}" + when: aws_security_groups.return_type == 'ids' diff --git a/roles/debian/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md index 952f48f3e..52554ced5 100644 --- a/roles/debian/gitlab_runner/README.md +++ b/roles/debian/gitlab_runner/README.md @@ -50,7 +50,7 @@ gitlab_runner: cluster: "my-cluster" # ECS cluster name region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID - security_group: "sg-abcdef123456" # SG ID + security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest public_ip: "false" # if your containers need a public IP assigning version: "1.4.0" # Fargate platform version diff --git a/roles/debian/gitlab_runner/defaults/main.yml b/roles/debian/gitlab_runner/defaults/main.yml index 538b7bcaa..845371447 100644 --- a/roles/debian/gitlab_runner/defaults/main.yml +++ b/roles/debian/gitlab_runner/defaults/main.yml @@ -38,7 +38,7 @@ gitlab_runner: cluster: "my-cluster" # ECS cluster name region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID - security_group: "sg-abcdef123456" # SG ID + security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest public_ip: "false" # if your containers need a public IP assigning version: "1.4.0" # Fargate platform version diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index a28cb1b59..a418bb001 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -35,6 +35,19 @@ # gitlab-runner register --url https://gitlab.com/ --registration-token TOKEN_HERE --name fargate-test-runner --run-untagged --executor custom -n # This will automatically update /etc/gitlab-runner/config.toml +# Populates the _aws_security_group_list variable used in fargate.toml.j2 +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + profile: "{{ aws_elasticache.aws_profile }}" + region: "{{ aws_elasticache.region }}" + group_names: + - "{{ gitlab_runner.fargate.security_group }}" + return_type: ids + when: gitlab_runner.install_fargate + delegate_to: localhost + - name: Create the Fargate driver directory if it does not exist. ansible.builtin.file: path: /opt/gitlab-runner diff --git a/roles/debian/gitlab_runner/templates/fargate.toml.j2 b/roles/debian/gitlab_runner/templates/fargate.toml.j2 index c32c3633a..6af78fc5a 100644 --- a/roles/debian/gitlab_runner/templates/fargate.toml.j2 +++ b/roles/debian/gitlab_runner/templates/fargate.toml.j2 @@ -5,7 +5,7 @@ LogFormat = "text" Cluster = "{{ gitlab_runner.fargate.cluster }}" Region = "{{ gitlab_runner.fargate.region }}" Subnet = "{{ gitlab_runner.fargate.subnet }}" - SecurityGroup = "{{ gitlab_runner.fargate.security_group }}" + SecurityGroup = "{{ _aws_security_group_list[0] }}" TaskDefinition = "{{ gitlab_runner.fargate.task_definition }}" EnablePublicIP = {{ gitlab_runner.fargate.public_ip }} PlatformVersion = "{{ gitlab_runner.fargate.version }}" From d6393f876c0094e5bed49f261976064ddeb573f9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 23 Nov 2023 14:52:43 +0100 Subject: [PATCH 014/331] Default packages pr 2.x (#1250) * Adding support for PHP session lifetime. (#1240) * Adding support for PHP session lifetime. * Updating module namespaces. * Adding dnsutils and telnet as standard to common_base. * Removing merge error. --- roles/_meta/common_base/meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index f38aef31f..143002b7c 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "dnsutils", "telnet"] } - role: debian/locales - role: debian/user_root - role: debian/apt_extra_packages From cbd538609de19b329a4f6f900e49822ba0ffa8bf Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 23 Nov 2023 15:04:53 +0100 Subject: [PATCH 015/331] Default packages pr 2.x (#1254) * Adding support for PHP session lifetime. (#1240) * Adding support for PHP session lifetime. * Updating module namespaces. * Adding dnsutils and telnet as standard to common_base. * Removing merge error. * Adding atop and sysstat as default too. --- roles/_meta/common_base/meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 143002b7c..b61a85a6d 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "dnsutils", "telnet"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "dnsutils", "telnet", "atop", "sysstat"] } - role: debian/locales - role: debian/user_root - role: debian/apt_extra_packages From d3d1e0ea323e103ac5ec51fd811ecb97885a87a4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 23 Nov 2023 15:48:18 +0100 Subject: [PATCH 016/331] Aws module names 2.x pr 2.x (#1259) * Adding support for PHP session lifetime. (#1240) * Adding support for PHP session lifetime. * Updating module namespaces. * Default packages pr 1.x (#1257) * Adding extra packages to common_base. * Fixing typo. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 46227c0b2..c6bf0f364 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /roles/contrib/* /roles/ce_provision !/roles/contrib/README.md +/docs/roles/contrib/* From 464e97ff69f6c34879efcf407383aa883f4fdf07 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 24 Nov 2023 19:12:27 +0100 Subject: [PATCH 017/331] Default packages pr 2.x (#1263) * Adding support for PHP session lifetime. (#1240) * Adding support for PHP session lifetime. * Updating module namespaces. * Adding dnsutils and telnet as standard to common_base. * Removing merge error. * Adding atop and sysstat as default too. * Adding extra packages to common_base. * Fixing typo. * Default packages pr 1.x (#1257) * Adding extra packages to common_base. * Fixing typo. * Removing diagnostic packages from containers. --- roles/_meta/common_base/meta/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index b61a85a6d..a0c051085 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "dnsutils", "telnet", "atop", "sysstat"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["dnsutils", "telnet", "atop", "sysstat"], when: ( is_local is not defined or not is_local ) } - role: debian/locales - role: debian/user_root - role: debian/apt_extra_packages From 0865fa9f8973b617c667c25e1532675bf3c24991 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 30 Nov 2023 14:22:07 +0100 Subject: [PATCH 018/331] Duplicity updates pr 2.x (#1274) * Adding support for PHP session lifetime. (#1240) * Adding support for PHP session lifetime. * Updating module namespaces. * Default packages pr 1.x (#1257) * Adding extra packages to common_base. * Fixing typo. * Default packages pr 1.x (#1261) * Adding extra packages to common_base. * Fixing typo. * Removing diagnostic packages from containers. * Providing Backblaze support in Duplicity role. * Moving Duplicity S3 options to an Ansible variable. * Duplicity updates pr 1.x (#1265) * Providing Backblaze support in Duplicity role. * Moving Duplicity S3 options to an Ansible variable. * Correcting path for cron. * Duplicity updates pr 1.x (#1267) * Providing Backblaze support in Duplicity role. * Moving Duplicity S3 options to an Ansible variable. * Correcting path for cron. * Option to suppress making a cron script. * Duplicity updates pr 1.x (#1268) * Providing Backblaze support in Duplicity role. * Moving Duplicity S3 options to an Ansible variable. * Correcting path for cron. * Option to suppress making a cron script. * duplicity not in path for cron so needs full path in script. * Duplicity updates pr 1.x (#1270) * Providing Backblaze support in Duplicity role. * Moving Duplicity S3 options to an Ansible variable. * Correcting path for cron. * Option to suppress making a cron script. * duplicity not in path for cron so needs full path in script. * R66963 separate lb fix pr 1.x (#1272) * r66963-separate-lb-fix * attempt to add TGW routes to list * Updating Duplicity docs. * Removing obsolete templates. * Accidentally doubled a PHP var. --------- Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> --- docs/_Sidebar.md | 1 + docs/roles/debian/duplicity.md | 41 +++++++++++ .../aws_ec2_autoscale_cluster/tasks/main.yml | 1 - roles/aws/aws_vpc_route/tasks/route.yml | 1 + roles/debian/duplicity/README.md | 41 +++++++++++ roles/debian/duplicity/defaults/main.yml | 6 +- roles/debian/duplicity/tasks/main.yml | 8 +-- ...icity_backup.j2 => duplicity_backup-b2.j2} | 28 ++++---- .../templates/duplicity_backup-s3.j2 | 70 +++++++++++++++++++ ...plicity_clean.j2 => duplicity_clean-b2.j2} | 14 ++-- .../duplicity/templates/duplicity_clean-s3.j2 | 39 +++++++++++ ...ity_restore.j2 => duplicity_restore-b2.j2} | 13 ++-- .../templates/duplicity_restore-s3.j2 | 45 ++++++++++++ 13 files changed, 276 insertions(+), 32 deletions(-) create mode 100644 docs/roles/debian/duplicity.md create mode 100644 roles/debian/duplicity/README.md rename roles/debian/duplicity/templates/{duplicity_backup.j2 => duplicity_backup-b2.j2} (62%) create mode 100644 roles/debian/duplicity/templates/duplicity_backup-s3.j2 rename roles/debian/duplicity/templates/{duplicity_clean.j2 => duplicity_clean-b2.j2} (59%) create mode 100644 roles/debian/duplicity/templates/duplicity_clean-s3.j2 rename roles/debian/duplicity/templates/{duplicity_restore.j2 => duplicity_restore-b2.j2} (64%) create mode 100644 roles/debian/duplicity/templates/duplicity_restore-s3.j2 diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 16c64086b..4a194080b 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -42,6 +42,7 @@ - [Automated patching](/roles/debian/ce_patcher) - [ce-provision](/roles/debian/ce_provision) - [ClamAV](/roles/debian/clamav) + - [Duplicity](/roles/debian/duplicity) - [Firewall Config](/roles/debian/firewall_config) - [Frontail](/roles/debian/frontail) - [Gitlab](/roles/debian/gitlab) diff --git a/docs/roles/debian/duplicity.md b/docs/roles/debian/duplicity.md new file mode 100644 index 000000000..9186201ed --- /dev/null +++ b/docs/roles/debian/duplicity.md @@ -0,0 +1,41 @@ +# Duplicity +Role to install and configure [the Duplicity backup engine](https://duplicity.us/) for off site backups in Linux. + + + + + +## Default variables +```yaml +--- +duplicity: + backend: s3 # currently also support b2 for Backblaze + access_key_id: "somekey" + secret_access_key: "somesecret" + backend_url: "s3-eu-west-1.amazonaws.com" + s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options + bucketname: "somebucket" + dirs: + - name: "/boot" + rules: [] + - name: "/etc" + rules: [] + - name: "/opt" + rules: [] + - name: "/var" + rules: + - "+ /var/log/syslog*" + - "- /var" + exclude_other_filesystems: false + full_backup_frequency: "3M" + gpg_passphrase: "{{ lookup('password', _ce_provision_data_dir + '/' + inventory_hostname + '/duplicity-gpg-passphrase chars=ascii_letters,digits length=64') }}" + install_dir: "/opt/duplicity" + mail_recipient: "foo@bar.com" + retention_period: "12M" + # systemd timer settings + create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer + on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index d92e56a95..70597d699 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -321,7 +321,6 @@ register: _aws_ec2_target_group_created when: - aws_ec2_autoscale_cluster.asg_refresh - - aws_ec2_autoscale_cluster.create_elb - name: Define default ALB listeners. ansible.builtin.set_fact: diff --git a/roles/aws/aws_vpc_route/tasks/route.yml b/roles/aws/aws_vpc_route/tasks/route.yml index 57e23f601..e353623af 100644 --- a/roles/aws/aws_vpc_route/tasks/route.yml +++ b/roles/aws/aws_vpc_route/tasks/route.yml @@ -7,6 +7,7 @@ gateway_id: "{{ route.gateway_id | default(omit) }}" nat_gateway_id: "{{ route.nat_gateway_id | default(omit) }}" network_interface_id: "{{ route.network_interface_id | default(omit) }}" + transit_gateway_id: "{{ route.transit_gateway_id | default(omit) }}" vpc_peering_connection_id: "{{ route.vpc_peering_connection_id | default(omit) }}" instance_id: "{{ route.instance_id | default(omit) }}" diff --git a/roles/debian/duplicity/README.md b/roles/debian/duplicity/README.md new file mode 100644 index 000000000..9186201ed --- /dev/null +++ b/roles/debian/duplicity/README.md @@ -0,0 +1,41 @@ +# Duplicity +Role to install and configure [the Duplicity backup engine](https://duplicity.us/) for off site backups in Linux. + + + + + +## Default variables +```yaml +--- +duplicity: + backend: s3 # currently also support b2 for Backblaze + access_key_id: "somekey" + secret_access_key: "somesecret" + backend_url: "s3-eu-west-1.amazonaws.com" + s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options + bucketname: "somebucket" + dirs: + - name: "/boot" + rules: [] + - name: "/etc" + rules: [] + - name: "/opt" + rules: [] + - name: "/var" + rules: + - "+ /var/log/syslog*" + - "- /var" + exclude_other_filesystems: false + full_backup_frequency: "3M" + gpg_passphrase: "{{ lookup('password', _ce_provision_data_dir + '/' + inventory_hostname + '/duplicity-gpg-passphrase chars=ascii_letters,digits length=64') }}" + install_dir: "/opt/duplicity" + mail_recipient: "foo@bar.com" + retention_period: "12M" + # systemd timer settings + create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer + on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/roles/debian/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml index 603b7611e..f85a94b36 100644 --- a/roles/debian/duplicity/defaults/main.yml +++ b/roles/debian/duplicity/defaults/main.yml @@ -1,8 +1,10 @@ --- duplicity: - aws_access_key_id: "somekey" - aws_secret_access_key: "somesecret" + backend: s3 # currently also support b2 for Backblaze + access_key_id: "somekey" + secret_access_key: "somesecret" backend_url: "s3-eu-west-1.amazonaws.com" + s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: - name: "/boot" diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index dbae642bd..96581e0aa 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -28,7 +28,7 @@ - name: Copy backup script in place. ansible.builtin.template: - src: duplicity_backup.j2 + src: "duplicity_backup-{{ duplicity.backend }}.j2" dest: "{{ duplicity.install_dir }}/bin/duplicity_backup" owner: root group: root @@ -36,7 +36,7 @@ - name: Copy restore script in place. ansible.builtin.template: - src: duplicity_restore.j2 + src: duplicity_restore-{{ duplicity.backend }}.j2 dest: "{{ duplicity.install_dir }}/bin/duplicity_restore" owner: root group: root @@ -44,7 +44,7 @@ - name: Copy clean-up script in place. ansible.builtin.template: - src: duplicity_clean.j2 + src: duplicity_clean-{{ duplicity.backend }}.j2 dest: "{{ duplicity.install_dir }}/bin/duplicity_clean" owner: root group: root @@ -69,7 +69,7 @@ vars: timers: duplicity_backup: - timer_command: /usr/local/bin/duplicity_backup + timer_command: "{{ duplicity.install_dir }}/bin/duplicity_backup" timer_OnCalendar: "{{ duplicity.on_calendar }}" when: duplicity.create_timer diff --git a/roles/debian/duplicity/templates/duplicity_backup.j2 b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 similarity index 62% rename from roles/debian/duplicity/templates/duplicity_backup.j2 rename to roles/debian/duplicity/templates/duplicity_backup-b2.j2 index 642ea656d..b41b992b8 100644 --- a/roles/debian/duplicity/templates/duplicity_backup.j2 +++ b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 @@ -3,9 +3,9 @@ # Duplicity Backup script # Declare and export secrets -export AWS_ACCESS_KEY_ID={{duplicity.aws_access_key_id}} -export AWS_SECRET_ACCESS_KEY={{duplicity.aws_secret_access_key}} -export PASSPHRASE={{duplicity.gpg_passphrase}} +export PASSPHRASE={{ duplicity.gpg_passphrase }} +export B2_KEY_ID={{ duplicity.access_key_id }} +export B2_SECRET_KEY={{ duplicity.secret_access_key }} if [ ! `whoami` = "root" ] ; then echo "You must run this script as root" @@ -15,21 +15,21 @@ fi ## Configurable variables # How often should we make a full backup? Recommended: 3 months -FULL_BACKUPS="{{duplicity.full_backup_frequency}}" +FULL_BACKUPS="{{ duplicity.full_backup_frequency }}" # Remove old backups? 0 for no, 1 for yes REMOVE_OLD_BACKUPS=1 # How often should we purge old backups? Recommended: 12 months. -REMOVE_OLDER_THAN="{{duplicity.retention_period}}" +REMOVE_OLDER_THAN="{{ duplicity.retention_period }}" # Args to pass to duplicity {% if duplicity.exclude_other_filesystems %} -backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30 --s3-use-new-style --s3-european-buckets" +backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30" {% else %} -backup_options="--full-if-older-than $FULL_BACKUPS --num-retries=30 --s3-use-new-style --s3-european-buckets" +backup_options="--full-if-older-than $FULL_BACKUPS --num-retries=30" {% endif %} -maintenance_options="remove-older-than $REMOVE_OLDER_THAN --force --s3-use-new-style --s3-european-buckets" +maintenance_options="remove-older-than $REMOVE_OLDER_THAN --force" # An array of directories to back up DIRS=( @@ -46,8 +46,8 @@ for dir in ${DIRS[@]}; do echo "Backing up $dir..." extra_options="" - if [ -f "{{duplicity.install_dir}}/etc/$dir-include-exclude-filelist" ]; then - extra_options="--include-filelist {{duplicity.install_dir}}/etc/$dir-include-exclude-filelist" + if [ -f "{{ duplicity.install_dir }}/etc/$dir-include-exclude-filelist" ]; then + extra_options="--include-filelist {{ duplicity.install_dir }}/etc/$dir-include-exclude-filelist" fi # A special clause for /root. We don't want the local duplicity cache data @@ -55,14 +55,16 @@ for dir in ${DIRS[@]}; do extra_options="$extra_options --exclude /root/.cache" fi - DEST=s3://{{duplicity.backend_url}}/{{duplicity.bucketname}}$dir - duplicity $backup_options $extra_options $dir $DEST || exit 1 + DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 if [ $REMOVE_OLD_BACKUPS -eq 1 ]; then # Do some maintenance on the remote end to clean up old backups echo "Performing routine maintenance on $dir..." - duplicity $maintenance_options $DEST || exit 1 + /usr/local/bin/duplicity $maintenance_options $DEST || exit 1 fi done unset PASSPHRASE +unset B2_KEY_ID +unset B2_SECRET_KEY diff --git a/roles/debian/duplicity/templates/duplicity_backup-s3.j2 b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 new file mode 100644 index 000000000..993de8643 --- /dev/null +++ b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 @@ -0,0 +1,70 @@ +#!/bin/bash + +# Duplicity Backup script + +# Declare and export secrets +export AWS_ACCESS_KEY_ID={{ duplicity.access_key_id }} +export AWS_SECRET_ACCESS_KEY={{ duplicity.secret_access_key }} +export PASSPHRASE={{ duplicity.gpg_passphrase }} + +if [ ! `whoami` = "root" ] ; then + echo "You must run this script as root" + exit 1 +fi + +## Configurable variables + +# How often should we make a full backup? Recommended: 3 months +FULL_BACKUPS="{{ duplicity.full_backup_frequency }}" + +# Remove old backups? 0 for no, 1 for yes +REMOVE_OLD_BACKUPS=1 + +# How often should we purge old backups? Recommended: 12 months. +REMOVE_OLDER_THAN="{{ duplicity.retention_period }}" + +# Args to pass to duplicity +{% if duplicity.exclude_other_filesystems %} +backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30 {{ duplicity.s3_options }}" +{% else %} +backup_options="--full-if-older-than $FULL_BACKUPS --num-retries=30 {{ duplicity.s3_options }}" +{% endif %} +maintenance_options="remove-older-than $REMOVE_OLDER_THAN --force {{ duplicity.s3_options }}" + +# An array of directories to back up +DIRS=( +{% for item in duplicity.dirs %} + {{ item.name }} +{% endfor %} +) + + +## Backup code below. You should not need to edit anything here. + +# Loop over each dir and perform the backup. +for dir in ${DIRS[@]}; do + echo "Backing up $dir..." + + extra_options="" + if [ -f "{{ duplicity.install_dir }}/etc/$dir-include-exclude-filelist" ]; then + extra_options="--include-filelist {{ duplicity.install_dir }}/etc/$dir-include-exclude-filelist" + fi + + # A special clause for /root. We don't want the local duplicity cache data + if [ $dir = "/root" ]; then + extra_options="$extra_options --exclude /root/.cache" + fi + + DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 + + if [ $REMOVE_OLD_BACKUPS -eq 1 ]; then + # Do some maintenance on the remote end to clean up old backups + echo "Performing routine maintenance on $dir..." + /usr/local/bin/duplicity $maintenance_options $DEST || exit 1 + fi +done + +unset PASSPHRASE +unset AWS_SECRET_ACCESS_KEY +unset AWS_ACCESS_KEY_ID diff --git a/roles/debian/duplicity/templates/duplicity_clean.j2 b/roles/debian/duplicity/templates/duplicity_clean-b2.j2 similarity index 59% rename from roles/debian/duplicity/templates/duplicity_clean.j2 rename to roles/debian/duplicity/templates/duplicity_clean-b2.j2 index f61a84d36..d8c8bb4b4 100644 --- a/roles/debian/duplicity/templates/duplicity_clean.j2 +++ b/roles/debian/duplicity/templates/duplicity_clean-b2.j2 @@ -3,9 +3,9 @@ # Duplicity Cleanup script # Declare and export secrets -export AWS_ACCESS_KEY_ID={{duplicity.aws_access_key_id}} -export AWS_SECRET_ACCESS_KEY={{duplicity.aws_secret_access_key}} -export PASSPHRASE={{duplicity.gpg_passphrase}} +export PASSPHRASE={{ duplicity.gpg_passphrase }} +export B2_KEY_ID={{ duplicity.access_key_id }} +export B2_SECRET_KEY={{ duplicity.secret_access_key }} if [ ! `whoami` = "root" ] ; then echo "You must run this script as root" @@ -15,7 +15,7 @@ fi ## Configurable variables # Args to pass to duplicity -cleanup_options="clean --force --s3-use-new-style --s3-european-buckets" +cleanup_options="clean --force" # An array of directories to clean DIRS=( @@ -30,8 +30,10 @@ DIRS=( # Loop over each dir and perform the clean. for dir in ${DIRS[@]}; do echo "Cleaning up $dir..." - DEST=s3://{{duplicity.backend_url}}/{{duplicity.bucketname}}$dir - duplicity $cleanup_options $DEST || exit 1 + DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity $cleanup_options $DEST || exit 1 done unset PASSPHRASE +unset B2_KEY_ID +unset B2_SECRET_KEY diff --git a/roles/debian/duplicity/templates/duplicity_clean-s3.j2 b/roles/debian/duplicity/templates/duplicity_clean-s3.j2 new file mode 100644 index 000000000..81b898fda --- /dev/null +++ b/roles/debian/duplicity/templates/duplicity_clean-s3.j2 @@ -0,0 +1,39 @@ +#!/bin/bash + +# Duplicity Cleanup script + +# Declare and export secrets +export AWS_ACCESS_KEY_ID={{ duplicity.access_key_id }} +export AWS_SECRET_ACCESS_KEY={{ duplicity.secret_access_key }} +export PASSPHRASE={{ duplicity.gpg_passphrase }} + +if [ ! `whoami` = "root" ] ; then + echo "You must run this script as root" + exit 1 +fi + +## Configurable variables + +# Args to pass to duplicity +cleanup_options="clean --force {{ duplicity.s3_options }}" + +# An array of directories to clean +DIRS=( +{% for item in duplicity.dirs %} + {{ item.name }} +{% endfor %} +) + + +## Cleanup code below. You should not need to edit anything here. + +# Loop over each dir and perform the clean. +for dir in ${DIRS[@]}; do + echo "Cleaning up $dir..." + DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity $cleanup_options $DEST || exit 1 +done + +unset PASSPHRASE +unset AWS_SECRET_ACCESS_KEY +unset AWS_ACCESS_KEY_ID diff --git a/roles/debian/duplicity/templates/duplicity_restore.j2 b/roles/debian/duplicity/templates/duplicity_restore-b2.j2 similarity index 64% rename from roles/debian/duplicity/templates/duplicity_restore.j2 rename to roles/debian/duplicity/templates/duplicity_restore-b2.j2 index aadac33ad..372431934 100644 --- a/roles/debian/duplicity/templates/duplicity_restore.j2 +++ b/roles/debian/duplicity/templates/duplicity_restore-b2.j2 @@ -3,9 +3,9 @@ # Duplicity Restore script # Declare and export secrets -export AWS_ACCESS_KEY_ID={{duplicity.aws_access_key_id}} -export AWS_SECRET_ACCESS_KEY={{duplicity.aws_secret_access_key}} -export PASSPHRASE={{duplicity.gpg_passphrase}} +export PASSPHRASE={{ duplicity.gpg_passphrase }} +export B2_KEY_ID={{ duplicity.access_key_id }} +export B2_SECRET_KEY={{ duplicity.secret_access_key }} if [ ! `whoami` = "root" ] ; then echo "You must run this script as root" @@ -19,7 +19,6 @@ RESTORE_DIR=/tmp/restore-`date '+%F-%H%M'` # Restore to what point in time (ago) ? #RESTORE_OPTIONS="-t 3D" -RESTORE_OPTIONS="--s3-use-new-style --s3-european-buckets" # An array of directories to restore DIRS=( @@ -36,8 +35,10 @@ mkdir -p $RESTORE_DIR # Loop over each dir and perform the restoration for dir in ${DIRS[@]}; do echo "Restoring $dir..." - DEST=s3://{{duplicity.backend_url}}/{{duplicity.bucketname}}$dir - duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir + DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir done unset PASSPHRASE +unset B2_KEY_ID +unset B2_SECRET_KEY diff --git a/roles/debian/duplicity/templates/duplicity_restore-s3.j2 b/roles/debian/duplicity/templates/duplicity_restore-s3.j2 new file mode 100644 index 000000000..da038389f --- /dev/null +++ b/roles/debian/duplicity/templates/duplicity_restore-s3.j2 @@ -0,0 +1,45 @@ +#!/bin/bash + +# Duplicity Restore script + +# Declare and export secrets +export AWS_ACCESS_KEY_ID={{ duplicity.access_key_id }} +export AWS_SECRET_ACCESS_KEY={{ duplicity.secret_access_key }} +export PASSPHRASE={{ duplicity.gpg_passphrase }} + +if [ ! `whoami` = "root" ] ; then + echo "You must run this script as root" + exit 1 +fi + +## Configurable variables + +# Directory to restore to +RESTORE_DIR=/tmp/restore-`date '+%F-%H%M'` + +# Restore to what point in time (ago) ? +#RESTORE_OPTIONS="-t 3D" +RESTORE_OPTIONS="{{ duplicity.s3_options }}" + +# An array of directories to restore +DIRS=( +{% for item in duplicity.dirs %} + {{ item.name }} +{% endfor %} +) + + +## Restore code below. You should not need to edit anything here. + +mkdir -p $RESTORE_DIR + +# Loop over each dir and perform the restoration +for dir in ${DIRS[@]}; do + echo "Restoring $dir..." + DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir + /usr/local/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir +done + +unset PASSPHRASE +unset AWS_SECRET_ACCESS_KEY +unset AWS_ACCESS_KEY_ID From 5058cf473d92913897825a66809123d7c1f0cd08 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 6 Dec 2023 16:41:08 +0100 Subject: [PATCH 019/331] Ansible path venv pr 2.x (#1277) * Adding a --ansible-path option so you can provide the location of Ansible. * Ensuring our venv Ansible ends up in PATH. * Improving docs. * Single quotes not required around path to Ansible. * Pleasing the linter. --- docs/roles/debian/ansible.md | 10 +++++++++- roles/debian/ansible/README.md | 10 +++++++++- roles/debian/ansible/tasks/main.yml | 28 ++++++++++++++++++++++++++++ scripts/_common.sh | 21 +++++++++++++++++---- scripts/provision.sh | 1 + 5 files changed, 64 insertions(+), 6 deletions(-) diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index eb25ec512..5ebad852e 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -1,5 +1,13 @@ # Ansible -(Re-)install Ansible from the official repository. +Install Ansible in a Python virtual environment. + +Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. + +This will not usually be necessary but, depending on your CI user set-up, you may need to add this as a pre-build step in your config where shell profiles are not automatically loaded, so Ansible is loaded into `$PATH`: + +```sh +. /etc/profile.d/ansible-path.sh +``` diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index eb25ec512..5ebad852e 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -1,5 +1,13 @@ # Ansible -(Re-)install Ansible from the official repository. +Install Ansible in a Python virtual environment. + +Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. + +This will not usually be necessary but, depending on your CI user set-up, you may need to add this as a pre-build step in your config where shell profiles are not automatically loaded, so Ansible is loaded into `$PATH`: + +```sh +. /etc/profile.d/ansible-path.sh +``` diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 9c7dc523d..9e08e7710 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -1,8 +1,31 @@ --- +- name: Ensure system Ansible is not installed. + ansible.builtin.apt: + pkg: ansible + state: absent + +- name: Ensure Ansible is not installed globally with pip3 on older versions of Debian. + ansible.builtin.pip: + name: ansible + state: absent + executable: pip3 + when: ansible_distribution_major_version | int < 12 + - name: Set up Python packages. ansible.builtin.include_role: name: debian/python_common +- name: Ensure pip is at latest version. + ansible.builtin.pip: + name: + - pip + state: latest + virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + update_only: true + become: true + become_user: "{{ ce_provision.username }}" + - name: Install Ansible. ansible.builtin.pip: name: @@ -23,6 +46,11 @@ become: true become_user: "{{ ce_provision.username }}" +- name: Add the venv to $PATH using profile.d. + ansible.builtin.copy: + content: "export PATH=$PATH:{{ ce_ansible.venv_path | default(_venv_path) }}/bin" + dest: "/etc/profile.d/ansible-path.sh" + - name: Create systemd timer to upgrade Ansible. ansible.builtin.include_role: name: contrib/systemd_timers diff --git a/scripts/_common.sh b/scripts/_common.sh index 4c79e074f..4aab1c7a5 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -94,6 +94,10 @@ parse_options(){ shift BOTO_PROFILE="$1" ;; + "--ansible-path") + shift + ANSIBLE_PATH="$1" + ;; *) usage exit 1 @@ -140,11 +144,20 @@ cleanup_build_tmp_dir(){ } # Trigger actual Ansible job. ansible_play(){ - if [ "$LINT" = "yes" ]; then - # apt repo installed - ANSIBLE_BIN=$(command -v ansible-lint) + if [ -n "$ANSIBLE_PATH" ]; then + if [ "$LINT" = "yes" ]; then + # apt repo installed + ANSIBLE_BIN=$(command -v ansible-lint) + else + ANSIBLE_BIN=$(command -v ansible-playbook) + fi else - ANSIBLE_BIN=$(command -v ansible-playbook) + if [ "$LINT" = "yes" ]; then + # apt repo installed + ANSIBLE_BIN="$ANSIBLE_PATH/ansible-lint" + else + ANSIBLE_BIN="$ANSIBLE_PATH/ansible-playbook" + fi fi if [ "$ABSOLUTE_PLAYBOOK_PATH" = "yes" ]; then ANSIBLE_CMD="$ANSIBLE_BIN $TARGET_PROVISION_PLAYBOOK" diff --git a/scripts/provision.sh b/scripts/provision.sh index b21959406..92d2e0265 100755 --- a/scripts/provision.sh +++ b/scripts/provision.sh @@ -13,6 +13,7 @@ usage(){ echo '' echo 'Available options:' echo '--ansible-extra-vars: Variable to pass as --extra-vars arguments to ansible-playbook. Make sure to escape them properly.' + echo '--ansible-path: Pass the path to the directory containing the Ansible binaries if you are not using the version of Ansible in PATH.' echo '--workspace: Local existing clone of the repo/branch (if your deployment tool already has one). This will skip the cloning/fetching of the repo.' echo '--user: Linux user executing the script (defaults to controller).' echo '--absolute-playbook-path: Prevent prepending of the workspace path to the playbook path when Ansible is called.' From 8ea565efb0e9cc0d8e0a89a4493fb261c430f7f0 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 6 Dec 2023 16:48:52 +0100 Subject: [PATCH 020/331] Ansible path venv pr 2.x (#1280) * Adding a --ansible-path option so you can provide the location of Ansible. * Ensuring our venv Ansible ends up in PATH. * Improving docs. * Single quotes not required around path to Ansible. * Pleasing the linter. * Still trying to please the linter. --- .ansible-lint | 1 + roles/debian/ansible/tasks/main.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.ansible-lint b/.ansible-lint index 7f26f195c..71d7648cc 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -2,6 +2,7 @@ skip_list: - '204' # Lines should be no longer than 160 chars - '301' # Commands should not change things if nothing needs doing - '701' # 701 No 'galaxy_info' found + - package-latest # do not insist on avoiding 'latest', we need it in some cases - unnamed-task - risky-file-permissions - role-name diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 9e08e7710..722690a64 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -22,7 +22,6 @@ state: latest virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - update_only: true become: true become_user: "{{ ce_provision.username }}" From 8c3d993b27a457352a03a8717f5e9e00b5db9ba6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 6 Dec 2023 17:15:30 +0100 Subject: [PATCH 021/331] Ansible path venv pr 2.x (#1282) * Adding a --ansible-path option so you can provide the location of Ansible. * Ensuring our venv Ansible ends up in PATH. * Improving docs. * Single quotes not required around path to Ansible. * Pleasing the linter. * Still trying to please the linter. * Using -z to check ANSIBLE_PATH var. --- scripts/_common.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 4aab1c7a5..0da872d6f 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -11,6 +11,7 @@ TARGET_PROVISION_PLAYBOOK="" TARGET_PROVISION_BRANCH="" ANSIBLE_EXTRA_VARS="" ANSIBLE_DEFAULT_EXTRA_VARS="" +ANSIBLE_PATH="" BUILD_WORKSPACE="" BUILD_WORKSPACE_BASE="$OWN_DIR/build" BUILD_ID="" @@ -144,7 +145,7 @@ cleanup_build_tmp_dir(){ } # Trigger actual Ansible job. ansible_play(){ - if [ -n "$ANSIBLE_PATH" ]; then + if [ -z "$ANSIBLE_PATH" ]; then if [ "$LINT" = "yes" ]; then # apt repo installed ANSIBLE_BIN=$(command -v ansible-lint) From 293cc2e461b8bde2b15ed87910da27eca6bf22cb Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 7 Dec 2023 12:24:16 +0100 Subject: [PATCH 022/331] Apparmor pr 2.x (#1284) * Docs update for ansible role. * Adding apparmor role. * Syntax error in with_items. --- docs/_Sidebar.md | 1 + docs/roles/debian/ansible.md | 8 +----- docs/roles/debian/apparmor.md | 28 +++++++++++++++++++ roles/debian/ansible/README.md | 8 +----- roles/debian/apparmor/README.md | 28 +++++++++++++++++++ roles/debian/apparmor/defaults/main.yml | 8 ++++++ roles/debian/apparmor/tasks/main.yml | 28 +++++++++++++++++++ .../apparmor/templates/custom_profile.j2 | 2 ++ 8 files changed, 97 insertions(+), 14 deletions(-) create mode 100644 docs/roles/debian/apparmor.md create mode 100644 roles/debian/apparmor/README.md create mode 100644 roles/debian/apparmor/defaults/main.yml create mode 100644 roles/debian/apparmor/tasks/main.yml create mode 100644 roles/debian/apparmor/templates/custom_profile.j2 diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 4a194080b..3d5705d02 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -31,6 +31,7 @@ - [Debian Packages](/roles/debian) - [Ansible](/roles/debian/ansible) - [APACHE](/roles/debian/apache) + - [Apparmor](/roles/debian/apparmor) - [Extra packages](/roles/debian/apt_extra_packages) - [APT Unattended Upgrades](/roles/debian/apt_unattended_upgrades) - [AWS CLI](/roles/debian/aws_cli) diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index 5ebad852e..7e0015fd9 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -1,13 +1,7 @@ # Ansible Install Ansible in a Python virtual environment. -Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. - -This will not usually be necessary but, depending on your CI user set-up, you may need to add this as a pre-build step in your config where shell profiles are not automatically loaded, so Ansible is loaded into `$PATH`: - -```sh -. /etc/profile.d/ansible-path.sh -``` +Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. The role will try and take care of this for you, but for extra safety you could manually check prior to running `ce-provision`. diff --git a/docs/roles/debian/apparmor.md b/docs/roles/debian/apparmor.md new file mode 100644 index 000000000..7d77ee2aa --- /dev/null +++ b/docs/roles/debian/apparmor.md @@ -0,0 +1,28 @@ +# Apparmor +This role installs the `apparmor` application for additional security. Documentation for Debian is here: +* https://wiki.debian.org/AppArmor/HowToUse + +The only additional feature of this role, aside from installing the package, is to create custom `apparmor` profiles. To create profiles you can provide a list with the variable `apparmor.custom_profiles`. Each item should have two elements, `filename` and `contents`. It is vitally important that `filename` matches the path to the binary you wish to provide a profile for. In the example commented out in the defaults you will note the filename is `usr.sbin.clamd` which means it applies to the binary at `/usr/sbin/clamd`, which is the location of the ClamAV daemon. + +The `contents` part is literally what will be placed in the file when the template is copied accross. In the case of our example, `/home/deploy/** r,`, this means allow the binary at `/usr/sbin/clamd` to read anything in the `/home/deploy` directory - our typical application location - and do not block that activity. In other words, do not impede virus scanning. + +If needed you can utilise Ansible's inheritance model to create your own, more complex `custom_profile.j2` template file with your playbook and provide additional variables per item. Essentially what ships with the role is a simple example that is fit for most purposes. + + + + + +## Default variables +```yaml +--- +apparmor: + custom_profiles: [] + # example + #- filename: usr.sbin.clamd + # contents: | + # /home/deploy/** r, + # + +``` + + diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index 5ebad852e..7e0015fd9 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -1,13 +1,7 @@ # Ansible Install Ansible in a Python virtual environment. -Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. - -This will not usually be necessary but, depending on your CI user set-up, you may need to add this as a pre-build step in your config where shell profiles are not automatically loaded, so Ansible is loaded into `$PATH`: - -```sh -. /etc/profile.d/ansible-path.sh -``` +Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` globally, or you will likely not get the correct version of Ansible when you try to run shell scripts. The role will try and take care of this for you, but for extra safety you could manually check prior to running `ce-provision`. diff --git a/roles/debian/apparmor/README.md b/roles/debian/apparmor/README.md new file mode 100644 index 000000000..7d77ee2aa --- /dev/null +++ b/roles/debian/apparmor/README.md @@ -0,0 +1,28 @@ +# Apparmor +This role installs the `apparmor` application for additional security. Documentation for Debian is here: +* https://wiki.debian.org/AppArmor/HowToUse + +The only additional feature of this role, aside from installing the package, is to create custom `apparmor` profiles. To create profiles you can provide a list with the variable `apparmor.custom_profiles`. Each item should have two elements, `filename` and `contents`. It is vitally important that `filename` matches the path to the binary you wish to provide a profile for. In the example commented out in the defaults you will note the filename is `usr.sbin.clamd` which means it applies to the binary at `/usr/sbin/clamd`, which is the location of the ClamAV daemon. + +The `contents` part is literally what will be placed in the file when the template is copied accross. In the case of our example, `/home/deploy/** r,`, this means allow the binary at `/usr/sbin/clamd` to read anything in the `/home/deploy` directory - our typical application location - and do not block that activity. In other words, do not impede virus scanning. + +If needed you can utilise Ansible's inheritance model to create your own, more complex `custom_profile.j2` template file with your playbook and provide additional variables per item. Essentially what ships with the role is a simple example that is fit for most purposes. + + + + + +## Default variables +```yaml +--- +apparmor: + custom_profiles: [] + # example + #- filename: usr.sbin.clamd + # contents: | + # /home/deploy/** r, + # + +``` + + diff --git a/roles/debian/apparmor/defaults/main.yml b/roles/debian/apparmor/defaults/main.yml new file mode 100644 index 000000000..5c83b698a --- /dev/null +++ b/roles/debian/apparmor/defaults/main.yml @@ -0,0 +1,8 @@ +--- +apparmor: + custom_profiles: [] + # example + #- filename: usr.sbin.clamd + # contents: | + # /home/deploy/** r, + # diff --git a/roles/debian/apparmor/tasks/main.yml b/roles/debian/apparmor/tasks/main.yml new file mode 100644 index 000000000..c55865577 --- /dev/null +++ b/roles/debian/apparmor/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install apparmor. + ansible.builtin.apt: + pkg: apparmor + state: present + +- name: Enable and start service apparmor, if not started. + ansible.builtin.service: + name: apparmor + state: started + enabled: true + +- name: Create apparmor custom profiles. + ansible.builtin.template: + src: custom_profile.j2 + dest: "/etc/apparmor.d/{{ item.filename }}" + owner: root + group: root + mode: 0644 + force: true + with_items: "{{ apparmor.custom_profiles }}" + when: apparmor.custom_profiles | length > 0 + +- name: Reload the apparmor service. + ansible.builtin.service: + name: apparmor + state: reloaded + when: apparmor.custom_profiles | length > 0 diff --git a/roles/debian/apparmor/templates/custom_profile.j2 b/roles/debian/apparmor/templates/custom_profile.j2 new file mode 100644 index 000000000..4de85f5fa --- /dev/null +++ b/roles/debian/apparmor/templates/custom_profile.j2 @@ -0,0 +1,2 @@ +{{ ansible_managed }} +{{ item.contents }} \ No newline at end of file From 938eb2a9e6087e22bea1dcf8d5fe67795c32e3bb Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 7 Dec 2023 13:24:05 +0100 Subject: [PATCH 023/331] Phpmyadmin pr 2.x (#1286) * Fixing dependency paths. * Adding vim and unzip to common installs. * First pass at a phpMyAdmin role. --- docs/_Sidebar.md | 1 + docs/roles/debian/phpmyadmin.md | 59 ++++++++++ roles/_meta/common_base/meta/main.yml | 2 +- roles/debian/docker_compose/meta/main.yml | 2 +- roles/debian/docker_registry/meta/main.yml | 4 +- roles/debian/duplicity/meta/main.yml | 2 +- roles/debian/frontail/meta/main.yml | 2 +- roles/debian/gitlab/meta/main.yml | 2 +- roles/debian/gitlab_runner/meta/main.yml | 2 +- roles/debian/jenkins/meta/main.yml | 2 +- roles/debian/lhci/meta/main.yml | 2 +- roles/debian/mount_sync/meta/main.yml | 2 +- roles/debian/nodejs/meta/main.yml | 2 +- roles/debian/php-cli/meta/main.yml | 2 +- roles/debian/php-common/meta/main.yml | 2 +- roles/debian/php-fpm/meta/main.yml | 2 +- roles/debian/php-imagick/meta/main.yml | 3 + roles/debian/php_blackfire/meta/main.yml | 3 + roles/debian/php_composer/meta/main.yml | 2 +- roles/debian/php_xdebug/meta/main.yml | 3 + roles/debian/phpmyadmin/README.md | 59 ++++++++++ roles/debian/phpmyadmin/defaults/main.yml | 8 ++ roles/debian/phpmyadmin/meta/main.yml | 4 + roles/debian/phpmyadmin/tasks/main.yml | 19 ++++ .../templates/phpmyadmin_install.sh.j2 | 102 ++++++++++++++++++ roles/debian/selenium/meta/main.yml | 2 +- roles/debian/squashfs/meta/main.yml | 2 +- roles/debian/varnish_config/meta/main.yml | 1 - 28 files changed, 279 insertions(+), 19 deletions(-) create mode 100644 docs/roles/debian/phpmyadmin.md create mode 100644 roles/debian/php-imagick/meta/main.yml create mode 100644 roles/debian/php_blackfire/meta/main.yml create mode 100644 roles/debian/php_xdebug/meta/main.yml create mode 100644 roles/debian/phpmyadmin/README.md create mode 100644 roles/debian/phpmyadmin/defaults/main.yml create mode 100644 roles/debian/phpmyadmin/meta/main.yml create mode 100644 roles/debian/phpmyadmin/tasks/main.yml create mode 100644 roles/debian/phpmyadmin/templates/phpmyadmin_install.sh.j2 diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 3d5705d02..3a0de5514 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -64,6 +64,7 @@ - [OSSEC](/roles/debian/ossec) - [Packer](/roles/debian/packer) - [PHP Composer](/roles/debian/php_composer) + - [phpMyAdmin](/roles/debian/phpmyadmin) - [PHP XDebug](/roles/debian/php_xdebug) - [Postfix](/roles/debian/postfix) - [Process Manager](/roles/debian/process_manager) diff --git a/docs/roles/debian/phpmyadmin.md b/docs/roles/debian/phpmyadmin.md new file mode 100644 index 000000000..3c329c981 --- /dev/null +++ b/docs/roles/debian/phpmyadmin.md @@ -0,0 +1,59 @@ +# phpMyAdmin +This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` and `debian/nginx` so do review their variables and set what you need prior to running a first build with `phpmyadmin`. + +Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: + +```yaml +nginx: + domains: + - server_name: "phpmyadmin.{{ _domain_name }}" + access_log: "/var/log/nginx/access-phpmyadmin.log" + error_log: "/var/log/nginx/error-phpmyadmin.log" + error_log_level: "notice" + webroot: /home/deploy/deploy/phpmyadmin + project_type: custom + ssl: + domains: + - "phpmyadmin.{{ _domain_name }}" + handling: letsencrypt + http_01_port: 5000 + autorenew: true + email: sysadm@codeenigma.com + services: [] + web_server: standalone + certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" + certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + reload_command: reload + reload: + - nginx + renewal_minute: "0" # minute to run renewal cron job + renewal_hour: "0" # hour to run renewal cron job + renewal_weekday: "0" # day of week to run renewal + ratelimitingcrawlers: true + is_default: false + servers: + - port: 80 + ssl: false + https_redirect: true + - port: 443 + ssl: true + upstreams: [] +``` + + + + + +## Default variables +```yaml +--- +phpmyadmin: + version: 5.2.1 # see https://www.phpmyadmin.net/files/ + method: install # can be changed to 'upgrade' to overwrite an existing installation + install_path: "/home/{{ ce_deploy.username }}/deploy" + # Assuming user and group should match php-fpm by default + www_user: "{{ php.fpm.pool_user }}" + www_group: "{{ php.fpm.pool_group }}" +``` + + diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index a0c051085..8d87b016e 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "vim", "unzip"] } - { role: debian/apt_extra_packages, apt_extra_packages: ["dnsutils", "telnet", "atop", "sysstat"], when: ( is_local is not defined or not is_local ) } - role: debian/locales - role: debian/user_root diff --git a/roles/debian/docker_compose/meta/main.yml b/roles/debian/docker_compose/meta/main.yml index ce121af52..b696951fa 100644 --- a/roles/debian/docker_compose/meta/main.yml +++ b/roles/debian/docker_compose/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: docker_ce + - role: debian/docker_ce diff --git a/roles/debian/docker_registry/meta/main.yml b/roles/debian/docker_registry/meta/main.yml index 584bc9e27..92b6d77fd 100644 --- a/roles/debian/docker_registry/meta/main.yml +++ b/roles/debian/docker_registry/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - role: docker_compose - - { role: "nginx", when: docker_registry.proxy } + - role: debian/docker_compose + - { role: "debian/nginx", when: docker_registry.proxy } diff --git a/roles/debian/duplicity/meta/main.yml b/roles/debian/duplicity/meta/main.yml index d9e17a3ba..61df1afb0 100644 --- a/roles/debian/duplicity/meta/main.yml +++ b/roles/debian/duplicity/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: python_boto + - role: debian/python_boto diff --git a/roles/debian/frontail/meta/main.yml b/roles/debian/frontail/meta/main.yml index 07904f223..f532b4610 100644 --- a/roles/debian/frontail/meta/main.yml +++ b/roles/debian/frontail/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: nodejs + - role: debian/nodejs diff --git a/roles/debian/gitlab/meta/main.yml b/roles/debian/gitlab/meta/main.yml index e88f23152..9729c66cd 100644 --- a/roles/debian/gitlab/meta/main.yml +++ b/roles/debian/gitlab/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: apt_unattended_upgrades + - role: debian/apt_unattended_upgrades diff --git a/roles/debian/gitlab_runner/meta/main.yml b/roles/debian/gitlab_runner/meta/main.yml index e88f23152..9729c66cd 100644 --- a/roles/debian/gitlab_runner/meta/main.yml +++ b/roles/debian/gitlab_runner/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: apt_unattended_upgrades + - role: debian/apt_unattended_upgrades diff --git a/roles/debian/jenkins/meta/main.yml b/roles/debian/jenkins/meta/main.yml index 71cdcb64b..b526914b4 100644 --- a/roles/debian/jenkins/meta/main.yml +++ b/roles/debian/jenkins/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: openjdk + - role: debian/openjdk diff --git a/roles/debian/lhci/meta/main.yml b/roles/debian/lhci/meta/main.yml index 07904f223..f532b4610 100644 --- a/roles/debian/lhci/meta/main.yml +++ b/roles/debian/lhci/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: nodejs + - role: debian/nodejs diff --git a/roles/debian/mount_sync/meta/main.yml b/roles/debian/mount_sync/meta/main.yml index 2aa97d326..e04d2471c 100644 --- a/roles/debian/mount_sync/meta/main.yml +++ b/roles/debian/mount_sync/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: user_deploy \ No newline at end of file + - role: debian/user_deploy \ No newline at end of file diff --git a/roles/debian/nodejs/meta/main.yml b/roles/debian/nodejs/meta/main.yml index e88f23152..9729c66cd 100644 --- a/roles/debian/nodejs/meta/main.yml +++ b/roles/debian/nodejs/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: apt_unattended_upgrades + - role: debian/apt_unattended_upgrades diff --git a/roles/debian/php-cli/meta/main.yml b/roles/debian/php-cli/meta/main.yml index adbea07a5..b3cabd4e2 100644 --- a/roles/debian/php-cli/meta/main.yml +++ b/roles/debian/php-cli/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: php-common + - role: debian/php-common diff --git a/roles/debian/php-common/meta/main.yml b/roles/debian/php-common/meta/main.yml index e88f23152..9729c66cd 100644 --- a/roles/debian/php-common/meta/main.yml +++ b/roles/debian/php-common/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: apt_unattended_upgrades + - role: debian/apt_unattended_upgrades diff --git a/roles/debian/php-fpm/meta/main.yml b/roles/debian/php-fpm/meta/main.yml index adbea07a5..b3cabd4e2 100644 --- a/roles/debian/php-fpm/meta/main.yml +++ b/roles/debian/php-fpm/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: php-common + - role: debian/php-common diff --git a/roles/debian/php-imagick/meta/main.yml b/roles/debian/php-imagick/meta/main.yml new file mode 100644 index 000000000..b3cabd4e2 --- /dev/null +++ b/roles/debian/php-imagick/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/php-common diff --git a/roles/debian/php_blackfire/meta/main.yml b/roles/debian/php_blackfire/meta/main.yml new file mode 100644 index 000000000..b3cabd4e2 --- /dev/null +++ b/roles/debian/php_blackfire/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/php-common diff --git a/roles/debian/php_composer/meta/main.yml b/roles/debian/php_composer/meta/main.yml index adbea07a5..b3cabd4e2 100644 --- a/roles/debian/php_composer/meta/main.yml +++ b/roles/debian/php_composer/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: php-common + - role: debian/php-common diff --git a/roles/debian/php_xdebug/meta/main.yml b/roles/debian/php_xdebug/meta/main.yml new file mode 100644 index 000000000..b3cabd4e2 --- /dev/null +++ b/roles/debian/php_xdebug/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/php-common diff --git a/roles/debian/phpmyadmin/README.md b/roles/debian/phpmyadmin/README.md new file mode 100644 index 000000000..3c329c981 --- /dev/null +++ b/roles/debian/phpmyadmin/README.md @@ -0,0 +1,59 @@ +# phpMyAdmin +This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` and `debian/nginx` so do review their variables and set what you need prior to running a first build with `phpmyadmin`. + +Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: + +```yaml +nginx: + domains: + - server_name: "phpmyadmin.{{ _domain_name }}" + access_log: "/var/log/nginx/access-phpmyadmin.log" + error_log: "/var/log/nginx/error-phpmyadmin.log" + error_log_level: "notice" + webroot: /home/deploy/deploy/phpmyadmin + project_type: custom + ssl: + domains: + - "phpmyadmin.{{ _domain_name }}" + handling: letsencrypt + http_01_port: 5000 + autorenew: true + email: sysadm@codeenigma.com + services: [] + web_server: standalone + certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" + certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + reload_command: reload + reload: + - nginx + renewal_minute: "0" # minute to run renewal cron job + renewal_hour: "0" # hour to run renewal cron job + renewal_weekday: "0" # day of week to run renewal + ratelimitingcrawlers: true + is_default: false + servers: + - port: 80 + ssl: false + https_redirect: true + - port: 443 + ssl: true + upstreams: [] +``` + + + + + +## Default variables +```yaml +--- +phpmyadmin: + version: 5.2.1 # see https://www.phpmyadmin.net/files/ + method: install # can be changed to 'upgrade' to overwrite an existing installation + install_path: "/home/{{ ce_deploy.username }}/deploy" + # Assuming user and group should match php-fpm by default + www_user: "{{ php.fpm.pool_user }}" + www_group: "{{ php.fpm.pool_group }}" +``` + + diff --git a/roles/debian/phpmyadmin/defaults/main.yml b/roles/debian/phpmyadmin/defaults/main.yml new file mode 100644 index 000000000..00960891a --- /dev/null +++ b/roles/debian/phpmyadmin/defaults/main.yml @@ -0,0 +1,8 @@ +--- +phpmyadmin: + version: 5.2.1 # see https://www.phpmyadmin.net/files/ + method: install # can be changed to 'upgrade' to overwrite an existing installation + install_path: "/home/{{ ce_deploy.username }}/deploy" + # Assuming user and group should match php-fpm by default + www_user: "{{ php.fpm.pool_user }}" + www_group: "{{ php.fpm.pool_group }}" \ No newline at end of file diff --git a/roles/debian/phpmyadmin/meta/main.yml b/roles/debian/phpmyadmin/meta/main.yml new file mode 100644 index 000000000..54ffd52ed --- /dev/null +++ b/roles/debian/phpmyadmin/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: debian/nginx + - role: debian/php-fpm diff --git a/roles/debian/phpmyadmin/tasks/main.yml b/roles/debian/phpmyadmin/tasks/main.yml new file mode 100644 index 000000000..474e867fb --- /dev/null +++ b/roles/debian/phpmyadmin/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Place the phpMyAdmin installer script on the server. + ansible.builtin.template: + src: phpmyadmin_install.sh.j2 + dest: /usr/local/bin/phpmyadmin.sh + owner: root + group: root + mode: 0755 + force: true + +- name: Execute the installer to install phpMyAdmin. + ansible.builtin.command: + cmd: "/usr/local/bin/phpmyadmin.sh -v {{ phpmyadmin.version }}" + when: phpmyadmin.method == 'install' + +- name: Execute the installer to upgrade phpMyAdmin. + ansible.builtin.command: + cmd: "/usr/local/bin/phpmyadmin.sh -u -v {{ phpmyadmin.version }}" + when: phpmyadmin.method == 'upgrade' diff --git a/roles/debian/phpmyadmin/templates/phpmyadmin_install.sh.j2 b/roles/debian/phpmyadmin/templates/phpmyadmin_install.sh.j2 new file mode 100644 index 000000000..fbe880ad8 --- /dev/null +++ b/roles/debian/phpmyadmin/templates/phpmyadmin_install.sh.j2 @@ -0,0 +1,102 @@ +#!/bin/bash + +usage() +{ +cat << EOF +usage: $0 -v VERSION + +Installs or upgrades phpMyAdmin to the specified version (-v). + +Arguments: + -v Version number to upgrade to + -u Upgrade an existing phpmyadmin (if there is no {{ phpmyadmin.install_path }}/phpmyadmin, it will abort. Omit if you want a fresh install) + -h This help message +EOF +} + +# Default variables +TODAY=$(date +%Y%m%d%H%M%S) +EXISTING=0 +UPGRADE=0 +VERSION= + +# Parse arguments +while getopts "v:uh" OPTION +do + case $OPTION in + h) + usage + exit + ;; + u) + UPGRADE=1 + ;; + v) + VERSION=$OPTARG + ;; + ?) + usage + exit 1 + ;; + esac +done + +# Need to be root or sudo +if [ ! `whoami` = "root" ] ; then + echo "You must run this script as root or with sudo." + exit 1 +fi + +# Exit early if we don't have a version +if [[ -z $VERSION ]]; then + echo "Please specify a version of phpMyAdmin with the -v flag, e.g -v 4.9.0.1" + exit 1 +fi + +if [ -d {{ phpmyadmin.install_path }}/phpmyadmin ]; then + echo "Found an existing phpmyadmin installation. Moving it to {{ phpmyadmin.install_path }}/phpmyadmin.bak.${TODAY}" + mv {{ phpmyadmin.install_path }}/phpmyadmin {{ phpmyadmin.install_path }}/phpmyadmin.bak.${TODAY} + EXISTING=1 +fi + +# If we want to upgrade, but there was no existing directory, bail out +if [ $EXISTING -ne 1 ] && [ $UPGRADE -eq 1 ]; then + echo "You asked to upgrade an instance of phpmyadmin, but we found no such instance. Exiting early" + exit 0 +fi + +builtin cd /tmp +echo "Downloading phpmyadmin version $VERSION..." +wget https://files.phpmyadmin.net/phpMyAdmin/${VERSION}/phpMyAdmin-${VERSION}-all-languages.zip || exit 1 + +# SHA check +wget https://files.phpmyadmin.net/phpMyAdmin/${VERSION}/phpMyAdmin-${VERSION}-all-languages.zip.sha256 || exit 1 +sha256sum phpMyAdmin-${VERSION}-all-languages.zip > ourshasum.txt +diff phpMyAdmin-${VERSION}-all-languages.zip.sha256 ourshasum.txt +if [ $? -ne 0 ]; then + echo "Something is wrong, we couldn't verify the SHA256 of the zip file. Please investigate manually." + if [ $EXISTING -eq 1 ]; then + echo "Moving old phpmyadmin back into place" + mv {{ phpmyadmin.install_path }}/phpmyadmin.bak.${TODAY} {{ phpmyadmin.install_path }}/phpmyadmin + fi + exit 1 +fi +echo "Unzipping phpmyadmin" +unzip phpMyAdmin-${VERSION}-all-languages.zip + +echo "Moving phpmyadmin codebase into place" +mv phpMyAdmin-${VERSION}-all-languages {{ phpmyadmin.install_path }}/phpmyadmin +mkdir -p {{ phpmyadmin.install_path }}/phpmyadmin/.well-known +chown {{ phpmyadmin.www_user }}.{{ phpmyadmin.www_group }} {{ phpmyadmin.install_path }}/phpmyadmin/.well-known + +if [ $EXISTING -eq 1 ]; then + echo "Copying old config.inc.php into place..." + cp -a {{ phpmyadmin.install_path }}/phpmyadmin.bak.${TODAY}/config.inc.php {{ phpmyadmin.install_path }}/phpmyadmin/config.inc.php +else + echo "Copying config.sample.inc.php into place..." + cp -a {{ phpmyadmin.install_path }}/phpmyadmin/config.sample.inc.php {{ phpmyadmin.install_path }}/phpmyadmin/config.inc.php + echo "Now visit https://phpsolved.com/phpmyadmin-blowfish-secret-generator/ to generate a unique blowfish secret, and add it to {{ phpmyadmin.install_path }}/phpmyadmin/config.inc.php" +fi + +rm -f /tmp/phpMyAdmin-${VERSION}-all-languages.zip +rm -f /tmp/phpMyAdmin-${VERSION}-all-languages.zip.sha256 diff --git a/roles/debian/selenium/meta/main.yml b/roles/debian/selenium/meta/main.yml index 71cdcb64b..b526914b4 100644 --- a/roles/debian/selenium/meta/main.yml +++ b/roles/debian/selenium/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: openjdk + - role: debian/openjdk diff --git a/roles/debian/squashfs/meta/main.yml b/roles/debian/squashfs/meta/main.yml index 2aa97d326..e04d2471c 100644 --- a/roles/debian/squashfs/meta/main.yml +++ b/roles/debian/squashfs/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: user_deploy \ No newline at end of file + - role: debian/user_deploy \ No newline at end of file diff --git a/roles/debian/varnish_config/meta/main.yml b/roles/debian/varnish_config/meta/main.yml index a20c2436e..c2f3381ab 100644 --- a/roles/debian/varnish_config/meta/main.yml +++ b/roles/debian/varnish_config/meta/main.yml @@ -1,4 +1,3 @@ --- - dependencies: - role: geerlingguy.varnish From e295336ac8e84f51370f70be7ed6a87e168c53d3 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 7 Dec 2023 14:10:31 +0100 Subject: [PATCH 024/331] Adding support for mail aliases to the postfix role. (#1288) --- docs/roles/debian/postfix.md | 7 +++++-- roles/debian/postfix/README.md | 7 +++++-- roles/debian/postfix/defaults/main.yml | 7 +++++-- roles/debian/postfix/tasks/main.yml | 13 +++++++++++-- roles/debian/postfix/templates/aliases.j2 | 3 +++ 5 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 roles/debian/postfix/templates/aliases.j2 diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index 6fa5e4d58..0abe2aa0b 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -31,8 +31,11 @@ postfix: forward_domains: - another.com - lalala.com - forward_from: "admin@example.com" - forward_to: "admin@example.com" + forward_from: admin@example.com + forward_to: admin@example.com + aliases: [] + #- user: root + # alias: admin@example.com ``` diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index 6fa5e4d58..0abe2aa0b 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -31,8 +31,11 @@ postfix: forward_domains: - another.com - lalala.com - forward_from: "admin@example.com" - forward_to: "admin@example.com" + forward_from: admin@example.com + forward_to: admin@example.com + aliases: [] + #- user: root + # alias: admin@example.com ``` diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index 91e66dc07..e0f09c009 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -22,5 +22,8 @@ postfix: forward_domains: - another.com - lalala.com - forward_from: "admin@example.com" - forward_to: "admin@example.com" + forward_from: admin@example.com + forward_to: admin@example.com + aliases: [] + #- user: root + # alias: admin@example.com diff --git a/roles/debian/postfix/tasks/main.yml b/roles/debian/postfix/tasks/main.yml index 941d15dc4..83c7ecec6 100644 --- a/roles/debian/postfix/tasks/main.yml +++ b/roles/debian/postfix/tasks/main.yml @@ -67,12 +67,12 @@ notify: - Reload Postfix configuration. -- name: Initialise sasl_passwd +- name: Initialise sasl_passwd. ansible.builtin.command: cmd: /usr/sbin/postmap /etc/postfix/sasl_passwd when: postfix.use_ses -- name: Configure virtual +- name: Configure virtual. ansible.builtin.template: src: "virtual.j2" dest: "/etc/postfix/virtual" @@ -84,6 +84,15 @@ - Initialise virtual. - Reload Postfix configuration. +- name: Configure mail aliases. + ansible.builtin.template: + src: aliases.j2 + dest: /etc/aliases + owner: root + group: root + mode: 0644 + when: postfix.aliases | length > 0 + - name: Ensure host maildir exists. ansible.builtin.file: path: "/home/ce-dev/var/Maildir" diff --git a/roles/debian/postfix/templates/aliases.j2 b/roles/debian/postfix/templates/aliases.j2 new file mode 100644 index 000000000..078c0c25d --- /dev/null +++ b/roles/debian/postfix/templates/aliases.j2 @@ -0,0 +1,3 @@ +{% for item in postfix.aliases %} +{{ item.user }}: {{ item.alias }} +{% endfor %} \ No newline at end of file From 370a69e650d45f2d9c490cc054d84c8d8d4fbfaa Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 7 Dec 2023 17:41:52 +0100 Subject: [PATCH 025/331] Mail aliases pr 2.x (#1290) * Adding support for mail aliases to the postfix role. * Adding more default packages. * Fixing paths to roles. --- roles/_meta/common_base/meta/main.yml | 2 +- roles/debian/apache/tasks/domain.yml | 2 +- roles/debian/gitlab/tasks/main.yml | 4 ++-- roles/debian/gitlab_runner/tasks/main.yml | 4 ++-- roles/debian/jenkins/tasks/main.yml | 2 +- roles/debian/ldap_server/tasks/main.yml | 6 +++--- roles/debian/nginx/tasks/domain.yml | 2 +- roles/debian/nodejs/tasks/main.yml | 2 +- roles/debian/ossec/tasks/ossec-server.yml | 2 +- roles/debian/php-cli/tasks/main.yml | 2 +- roles/debian/php-common/tasks/main.yml | 6 +++--- roles/debian/php-fpm/tasks/main.yml | 2 +- roles/debian/php_blackfire/meta/main.yml | 3 --- roles/debian/php_xdebug/meta/main.yml | 3 --- roles/debian/squashfs/tasks/main.yml | 2 +- roles/debian/user_ansible/tasks/main.yml | 2 +- roles/debian/user_deploy/tasks/main.yml | 2 +- roles/debian/user_provision/tasks/main.yml | 2 +- 18 files changed, 22 insertions(+), 28 deletions(-) delete mode 100644 roles/debian/php_blackfire/meta/main.yml delete mode 100644 roles/debian/php_xdebug/meta/main.yml diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 8d87b016e..95fcebc29 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "vim", "unzip"] } + - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "vim", "unzip", "ca-certificates"] } - { role: debian/apt_extra_packages, apt_extra_packages: ["dnsutils", "telnet", "atop", "sysstat"], when: ( is_local is not defined or not is_local ) } - role: debian/locales - role: debian/user_root diff --git a/roles/debian/apache/tasks/domain.yml b/roles/debian/apache/tasks/domain.yml index 8faf98599..bec82a533 100644 --- a/roles/debian/apache/tasks/domain.yml +++ b/roles/debian/apache/tasks/domain.yml @@ -1,7 +1,7 @@ --- - name: Generates SSL keys. ansible.builtin.include_role: - name: ssl + name: debian/ssl when: domain.ssl is defined vars: ssl: "{{ domain.ssl }}" diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index e92ef192a..b7c9a9953 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -51,7 +51,7 @@ - name: Install the unattended-upgrades config. ansible.builtin.include_role: - name: apt_unattended_upgrades + name: debian/apt_unattended_upgrades when: apt_unattended_upgrades.enable - name: Ensure Gitlab is installed. @@ -62,7 +62,7 @@ - name: Generates SSL keys. ansible.builtin.include_role: - name: ssl + name: debian/ssl when: gitlab.ssl.enabled vars: ssl: "{{ gitlab.ssl | combine( { 'domain': gitlab.server_name } ) }}" diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index a418bb001..2601d8e4f 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -21,7 +21,7 @@ - name: Install the unattended-upgrades config. ansible.builtin.include_role: - name: apt_unattended_upgrades + name: debian/apt_unattended_upgrades when: apt_unattended_upgrades.enable - name: Ensure Gitlab Runner is installed. @@ -135,7 +135,7 @@ - name: Run docker_ce role when Fargate driver to be installed. ansible.builtin.include_role: - name: docker_ce + name: debian/docker_ce when: gitlab_runner.install_fargate - name: Add the ce-provision user to the docker group. diff --git a/roles/debian/jenkins/tasks/main.yml b/roles/debian/jenkins/tasks/main.yml index 24d1ff47e..a14ae2f7b 100644 --- a/roles/debian/jenkins/tasks/main.yml +++ b/roles/debian/jenkins/tasks/main.yml @@ -18,7 +18,7 @@ - name: Generates SSL keys. ansible.builtin.include_role: - name: "{{ jenkins.ssl_handling }}" + name: debian/ssl vars: ssl: domain: "{{ jenkins.server_name }}" diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index e8c24d13c..52fb1ccf4 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Stop slapd service. ansible.builtin.include_role: - name: process_manager + name: debian/process_manager when: ldap_server.slapd.purge vars: process_manager: @@ -58,7 +58,7 @@ - name: Stop slapd service. ansible.builtin.include_role: - name: process_manager + name: debian/process_manager vars: process_manager: process_name: slapd @@ -133,7 +133,7 @@ - name: Generate SSL keys if provided. ansible.builtin.include_role: - name: ssl + name: debian/ssl vars: ssl: "{{ ldap_server.ssl }}" diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index bf1c5c3e5..a38c4f451 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -29,7 +29,7 @@ - name: Generates SSL keys. ansible.builtin.include_role: - name: ssl + name: debian/ssl public: true when: domain.ssl is defined vars: diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 89bf2a350..9cbf93d18 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -40,7 +40,7 @@ - name: Install the unattended-upgrades config. ansible.builtin.include_role: - name: apt_unattended_upgrades + name: debian/apt_unattended_upgrades when: apt_unattended_upgrades.enable - name: Ensure NodeJS and Yarn are installed. diff --git a/roles/debian/ossec/tasks/ossec-server.yml b/roles/debian/ossec/tasks/ossec-server.yml index 62ec8e174..b518ae2a7 100644 --- a/roles/debian/ossec/tasks/ossec-server.yml +++ b/roles/debian/ossec/tasks/ossec-server.yml @@ -48,7 +48,7 @@ - name: Generates SSL keys. ansible.builtin.include_role: - name: ssl + name: debian/ssl vars: ssl: "{{ ossec.ssl }}" diff --git a/roles/debian/php-cli/tasks/main.yml b/roles/debian/php-cli/tasks/main.yml index bdbe78b94..65f5c712a 100644 --- a/roles/debian/php-cli/tasks/main.yml +++ b/roles/debian/php-cli/tasks/main.yml @@ -52,4 +52,4 @@ - name: Setup composer. ansible.builtin.include_role: - name: php_composer + name: debian/php_composer diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index 939196fe5..7e54dc6cc 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -25,7 +25,7 @@ - name: Install the unattended-upgrades config. ansible.builtin.include_role: - name: apt_unattended_upgrades + name: debian/apt_unattended_upgrades when: apt_unattended_upgrades.enable - name: Install PHP packages. @@ -64,8 +64,8 @@ - name: Setup xdebug. ansible.builtin.include_role: - name: php_xdebug + name: debian/php_xdebug - name: Setup Blackfire. ansible.builtin.include_role: - name: php_blackfire + name: debian/php_blackfire diff --git a/roles/debian/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml index be6ac09fc..b485040ea 100644 --- a/roles/debian/php-fpm/tasks/main.yml +++ b/roles/debian/php-fpm/tasks/main.yml @@ -27,7 +27,7 @@ - name: Setup xdebug. ansible.builtin.include_role: - name: php_xdebug + name: debian/php_xdebug - name: Trigger overrides ansible.builtin.include_role: diff --git a/roles/debian/php_blackfire/meta/main.yml b/roles/debian/php_blackfire/meta/main.yml deleted file mode 100644 index b3cabd4e2..000000000 --- a/roles/debian/php_blackfire/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/php-common diff --git a/roles/debian/php_xdebug/meta/main.yml b/roles/debian/php_xdebug/meta/main.yml deleted file mode 100644 index b3cabd4e2..000000000 --- a/roles/debian/php_xdebug/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/php-common diff --git a/roles/debian/squashfs/tasks/main.yml b/roles/debian/squashfs/tasks/main.yml index 50aaebfd8..9635dafb2 100644 --- a/roles/debian/squashfs/tasks/main.yml +++ b/roles/debian/squashfs/tasks/main.yml @@ -12,7 +12,7 @@ - name: Allow the deploy user to mount and unmount volumes. ansible.builtin.include_role: - name: sudo_config + name: debian/sudo_config vars: sudo_config: entity_name: "{{ user_deploy.username }}" diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index 1598b2b5e..c40bbed11 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -29,7 +29,7 @@ - name: Add user to sudoers. ansible.builtin.include_role: - name: sudo_config + name: debian/sudo_config vars: sudo_config: entity_name: "{{ user_ansible.username }}" diff --git a/roles/debian/user_deploy/tasks/main.yml b/roles/debian/user_deploy/tasks/main.yml index 9b0a4708f..ff34921a7 100644 --- a/roles/debian/user_deploy/tasks/main.yml +++ b/roles/debian/user_deploy/tasks/main.yml @@ -1,5 +1,5 @@ --- - ansible.builtin.include_role: - name: user_ansible + name: debian/user_ansible vars: user_ansible: "{{ user_deploy }}" diff --git a/roles/debian/user_provision/tasks/main.yml b/roles/debian/user_provision/tasks/main.yml index f0749418a..26eed327f 100644 --- a/roles/debian/user_provision/tasks/main.yml +++ b/roles/debian/user_provision/tasks/main.yml @@ -1,5 +1,5 @@ --- - ansible.builtin.include_role: - name: user_ansible + name: debian/user_ansible vars: user_ansible: "{{ user_provision }}" From 873b86d4623381fb7878fe9751d9c145164b3f67 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 8 Dec 2023 13:29:09 +0100 Subject: [PATCH 026/331] Mail aliases pr 2.x (#1293) * Adding support for mail aliases to the postfix role. * Adding more default packages. * Fixing paths to roles. * Forgot to comment the ansible_managed line. * Adding vim line to start of AppArmor template. --- roles/debian/apparmor/templates/custom_profile.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/apparmor/templates/custom_profile.j2 b/roles/debian/apparmor/templates/custom_profile.j2 index 4de85f5fa..8cc08c368 100644 --- a/roles/debian/apparmor/templates/custom_profile.j2 +++ b/roles/debian/apparmor/templates/custom_profile.j2 @@ -1,2 +1,3 @@ -{{ ansible_managed }} +# vim:syntax=apparmor +# {{ ansible_managed }} {{ item.contents }} \ No newline at end of file From cc78e9b21b0ff1bbeffe6523c6b83d7c79f66fa9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Dec 2023 14:10:05 +0100 Subject: [PATCH 027/331] We can't recurse here, if EFS is already mounted it can take forever! (#1301) --- roles/debian/aws_efs_client/tasks/fstab.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian/aws_efs_client/tasks/fstab.yml b/roles/debian/aws_efs_client/tasks/fstab.yml index 7236a8c00..0b7aac6bb 100644 --- a/roles/debian/aws_efs_client/tasks/fstab.yml +++ b/roles/debian/aws_efs_client/tasks/fstab.yml @@ -15,7 +15,6 @@ state: directory owner: "{{ mount.owner }}" group: "{{ mount.group }}" - recurse: true - name: Create fstab entry. ansible.posix.mount: From dc831d54d7cd62ddc2729694f64cc6b488ea113e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Dec 2023 14:10:47 +0100 Subject: [PATCH 028/331] Mail aliases pr 2.x (#1295) * Adding support for mail aliases to the postfix role. * Adding more default packages. * Fixing paths to roles. * Forgot to comment the ansible_managed line. * Adding vim line to start of AppArmor template. * Fixing EOF in apparmor template. --- roles/debian/apparmor/templates/custom_profile.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/apparmor/templates/custom_profile.j2 b/roles/debian/apparmor/templates/custom_profile.j2 index 8cc08c368..8037a1178 100644 --- a/roles/debian/apparmor/templates/custom_profile.j2 +++ b/roles/debian/apparmor/templates/custom_profile.j2 @@ -1,3 +1,3 @@ # vim:syntax=apparmor # {{ ansible_managed }} -{{ item.contents }} \ No newline at end of file +{{ item.contents }} From 51e59f63dffd9aee22839831e24e3f115ea02bce Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Dec 2023 14:14:10 +0100 Subject: [PATCH 029/331] Removing APP_ENV from Symfony4 NGINX conf, set in .env file. (#1303) --- roles/debian/nginx/templates/symfony4.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian/nginx/templates/symfony4.j2 b/roles/debian/nginx/templates/symfony4.j2 index 97fafc989..1bab930bf 100644 --- a/roles/debian/nginx/templates/symfony4.j2 +++ b/roles/debian/nginx/templates/symfony4.j2 @@ -7,7 +7,6 @@ location ~ \.php(/|$) { fastcgi_pass {{ nginx.php_fastcgi_backend }}; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; - fastcgi_param APP_ENV {{ symfony_env }}; fastcgi_param APP_DEBUG 1; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; From abc2b25fd6e9be425e30504da81d496ea54d5e91 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 18 Dec 2023 11:08:03 +0100 Subject: [PATCH 030/331] Bug fixes 2.x pr 2.x (#1310) * Improving AWS subnet docs. * Error in timers structure in the SSL role. --- roles/debian/nginx/defaults/main.yml | 1 + roles/debian/ssl/tasks/letsencrypt.yml | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 61f2be571..64dbc76fa 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -57,6 +57,7 @@ nginx: # reload_command: restart # reload: # - nginx + # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true basic_auth: diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 616040ae1..65ff333b4 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -87,6 +87,5 @@ ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: - certbot_renewal: "{{ _certbot_renewal_timer }}" + timers: "{{ _certbot_renewal_timer }}" when: ssl.autorenew From 5f009b7f6b4da7510a1b2e46610f740b8e149441 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 21 Dec 2023 16:04:32 +0100 Subject: [PATCH 031/331] Bug fixes 2.x pr 2.x (#1323) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. --- roles/debian/firewall_config/tasks/main.yml | 10 ------ roles/debian/ldap_server/tasks/main.yml | 11 ------- roles/debian/lhci/tasks/main.yml | 34 --------------------- 3 files changed, 55 deletions(-) diff --git a/roles/debian/firewall_config/tasks/main.yml b/roles/debian/firewall_config/tasks/main.yml index 66941b51a..cf770ab4e 100644 --- a/roles/debian/firewall_config/tasks/main.yml +++ b/roles/debian/firewall_config/tasks/main.yml @@ -1,14 +1,4 @@ --- -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install iptables with backports. # we have to do this in ce-dev or the contrib role will fail - ansible.builtin.apt: - pkg: ["iptables"] - state: present - default_release: buster-backports - when: - - is_local is defined - - is_local - - name: Shift general firewall settings to expected variables. ansible.builtin.set_fact: firewall_state: "{{ firewall_config.firewall_state }}" diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 52fb1ccf4..9a773da58 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -14,21 +14,10 @@ purge: true when: ldap_server.slapd.purge -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Ensure LDAP and dependencies are installed from backports. - ansible.builtin.apt: - pkg: ["slapd", "ldapscripts", "libldap2-dev"] # python-ldap needs libldap2-dev - state: present - default_release: buster-backports - when: - - is_local is defined - - is_local - - name: Ensure LDAP and python-ldap and dependencies are installed. ansible.builtin.apt: pkg: ["slapd", "ldapscripts", "libldap2-dev"] state: present - when: is_local is not defined - name: Ensure additional dependencies for python-ldap are installed. ansible.builtin.apt: diff --git a/roles/debian/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml index c92447d4b..56c1fd9c9 100644 --- a/roles/debian/lhci/tasks/main.yml +++ b/roles/debian/lhci/tasks/main.yml @@ -10,26 +10,6 @@ state: present filename: google-chrome -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install Google Chrome "headful" mode dependencies from backports. - ansible.builtin.apt: - name: - - xorg - - xvfb - - gtk2-engines-pixbuf - - dbus-x11 - - xfonts-base - - xfonts-100dpi - - xfonts-75dpi - - xfonts-cyrillic - - xfonts-scalable - default_release: buster-backports - state: present - when: - - is_local - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - - name: Install Google Chrome "headful" mode dependencies. ansible.builtin.apt: name: @@ -43,19 +23,6 @@ - xfonts-cyrillic - xfonts-scalable state: present - when: is_local is not defined - -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install VNC support from backports. - ansible.builtin.apt: - name: x11vnc - default_release: buster-backports - state: present - when: - - lhci.enable_vnc - - is_local - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - name: Install VNC support. ansible.builtin.apt: @@ -63,7 +30,6 @@ state: present when: - lhci.enable_vnc - - is_local is not defined - name: Configure Xvfb to start on boot. ansible.builtin.shell: | From 3cf5e96bc44cdf823fdf1048fdfd02560bbe9c84 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 21 Dec 2023 16:50:44 +0100 Subject: [PATCH 032/331] Bug fixes 2.x pr 2.x (#1325) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. --- roles/aws/aws_iam_saml/templates/access_billing_policy.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 index cf20372f8..714056642 100644 --- a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 +++ b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 @@ -9,7 +9,8 @@ "freetier:*", "ce:*", "cur:*", - "tax:*" + "tax:*", + "sustainability:*" ], "Effect": "Allow", "Resource": "*" From 1faf72c01c01515769a47e30e421878a78481cf5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 22 Dec 2023 13:37:11 +0100 Subject: [PATCH 033/331] Bug fixes 2.x pr 2.x (#1332) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. From 67617807509ec2746ef93461900480996abd7630 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 5 Jan 2024 17:34:40 +0100 Subject: [PATCH 034/331] Openvpn script pr 2.x (#1329) * Removing old ovpn role. * Adding a first pass at a new openvpn role. * Adding new line at end of script. * Adding push route handling. * Handle duplicate-cn and float OpenVPN options. * Sorting out LDAP and PAM integration. * Allowing setting of cipher and client IP range. * Updating docs. * Fixing some defaults. * Ensuring the OpenVPN LDAP config directory exists. * Erroneous extra line. * Fixing syntax error in 'or'. * More docs updates. * Need the LDAP SSL cert basename in config. * Some tweaks to config. * Reordering variables and adding some client config options. * Reordering for clarity and allowing setting of server TLS cipher. --- docs/roles/debian/nginx.md | 7 +- docs/roles/debian/openvpn.md | 32 ++- docs/roles/debian/openvpn_config.md | 69 ------ roles/debian/nginx/README.md | 7 +- roles/debian/openvpn/README.md | 32 ++- roles/debian/openvpn/defaults/main.yml | 29 ++- roles/debian/openvpn/tasks/main.yml | 103 +++++--- .../templates/headless-openvpn-install.sh.j2 | 4 +- .../debian/openvpn/templates/openvpn.ldap.j2 | 2 +- roles/debian/openvpn_config/README.md | 69 ------ roles/debian/openvpn_config/defaults/main.yml | 54 ----- roles/debian/openvpn_config/tasks/main.yml | 155 ------------ .../templates/auth-ldap.conf.j2 | 39 --- .../openvpn_config/templates/openvpn.j2 | 3 - roles/debian/openvpn_config/templates/vars.j2 | 222 ------------------ roles/debian/php-fpm/tasks/main.yml | 1 - 16 files changed, 138 insertions(+), 690 deletions(-) delete mode 100644 docs/roles/debian/openvpn_config.md delete mode 100644 roles/debian/openvpn_config/README.md delete mode 100644 roles/debian/openvpn_config/defaults/main.yml delete mode 100644 roles/debian/openvpn_config/tasks/main.yml delete mode 100644 roles/debian/openvpn_config/templates/auth-ldap.conf.j2 delete mode 100644 roles/debian/openvpn_config/templates/openvpn.j2 delete mode 100644 roles/debian/openvpn_config/templates/vars.j2 diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 9e7de8dcf..c3cb22c08 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -34,10 +34,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 61ef449e9..54fa885b6 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -1,6 +1,9 @@ # OpenVPN This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. +## Server address +This will be detected automatically as the IP address of the server. If the server is configured with only internal addressing then the script will attempt to look up the public IP. To specify a value use `openvpn.nat_endpoint`. + ## PAM authentication There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. @@ -18,27 +21,18 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" - pass: "1" - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -55,6 +49,20 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install ``` diff --git a/docs/roles/debian/openvpn_config.md b/docs/roles/debian/openvpn_config.md deleted file mode 100644 index 02bbd8167..000000000 --- a/docs/roles/debian/openvpn_config.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 9e7de8dcf..c3cb22c08 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -34,10 +34,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 61ef449e9..54fa885b6 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -1,6 +1,9 @@ # OpenVPN This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode. +## Server address +This will be detected automatically as the IP address of the server. If the server is configured with only internal addressing then the script will attempt to look up the public IP. To specify a value use `openvpn.nat_endpoint`. + ## PAM authentication There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks. @@ -18,27 +21,18 @@ At the moment we do not support headless customisation of encryption settings. T openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" - pass: "1" - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -55,6 +49,20 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install ``` diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 7489aedbc..21ad4bc44 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -2,27 +2,18 @@ openvpn: script_install_path: "/home/{{ user_provision.username }}" auto_install: true - name: vpn.example.com + # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410 allow_floating_client_ip: true # allow for ISP address change with DHCP (option float) multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn) - approve_ip: "y" - ipv6_support: "n" - port_choice: "1" # 1 = use default 1194, 3 means use a random port - protocol_choice: "1" # 1 = udp, 2 = tcp - dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 - compression_enabled: "n" - compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 - customize_enc: "n" - pass: "1" - #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install push_routes_ipv4: [] # list of VPN push routes for ipv4 networks # Examples: # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask" # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 - # - www.google-analytics.com # push any IP resolving to www.google-analytics.com + # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path @@ -39,3 +30,17 @@ openvpn: group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" + # post install client config tweaks + tls_cipher: "" # defaults to TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L486-L518 + allow_pull_fqdn: true # this must be enabled if you want to push FQDNs (option allow-pull-fqdn) + auth_user_pass: false # enforce authorisation with a username and password - desired for LDAP authentication + # headless script variables + approve_ip: "y" + ipv6_support: "n" + port_choice: "1" # 1 = use default 1194, 3 means use a random port + protocol_choice: "1" # 1 = udp, 2 = tcp + dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + compression_enabled: "n" + compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 + test_username: example # this will be used to create a client config in the `script_install_path` location + #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 55186fef1..4943530c0 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -21,6 +21,7 @@ cmd: "{{ openvpn.script_install_path }}/headless-openvpn-install.sh" when: openvpn.auto_install +# Tweak server config - name: Allow multiple simultaneous VPN connections. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf @@ -28,44 +29,22 @@ when: openvpn.multiple_connections notify: Restart OpenVPN. -- name: Add ipv4 push routes comment for readability. +- name: Allow client IP to float without disconnecting. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf line: float when: openvpn.allow_floating_client_ip notify: Restart OpenVPN. -# Push routes -- name: Add ipv4 push routes comment for readability. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: "# ipv4 push routes" - when: openvpn.push_routes_ipv4 | length > 0 - -- name: Add ipv4 push routes to the VPN. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: 'push "route {{ item }}"' - with_items: "{{ openvpn.push_routes_ipv4 }}" - when: openvpn.push_routes_ipv4 | length > 0 - notify: Restart OpenVPN. - -- name: Add ipv6 push routes comment for readability. - ansible.builtin.lineinfile: - path: /etc/openvpn/server.conf - line: "# ipv6 push routes" - when: - - openvpn.push_routes_ipv6 | length > 0 - - openvpn.ipv6_support == "y" - -- name: Add ipv6 push routes to the VPN. +- name: Replace OpenVPN server tls-cipher. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf - line: 'push "route-ipv6 {{ item }}"' - with_items: "{{ openvpn.push_routes_ipv6 }}" - when: - - openvpn.push_routes_ipv6 | length > 0 - - openvpn.ipv6_support == "y" + search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' + line: "tls-cipher {{ openvpn.tls_cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.tls_cipher | length > 0 notify: Restart OpenVPN. - name: Replace OpenVPN client IP range. @@ -100,6 +79,39 @@ when: openvpn.cipher | length > 0 notify: Restart OpenVPN. +# Push routes +- name: Add ipv4 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv4 push routes" + when: openvpn.push_routes_ipv4 | length > 0 + +- name: Add ipv4 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv4 }}" + when: openvpn.push_routes_ipv4 | length > 0 + notify: Restart OpenVPN. + +- name: Add ipv6 push routes comment for readability. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: "# ipv6 push routes" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + +- name: Add ipv6 push routes to the VPN. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + line: 'push "route-ipv6 {{ item }}"' + with_items: "{{ openvpn.push_routes_ipv6 }}" + when: + - openvpn.push_routes_ipv6 | length > 0 + - openvpn.ipv6_support == "y" + notify: Restart OpenVPN. + # PAM integration - name: Ensure the OpenVPN PAM config is in place. ansible.builtin.template: @@ -120,6 +132,12 @@ group: root when: openvpn.ldap.enabled +- name: Ensure the OpenVPN LDAP config directory exists. + ansible.builtin.file: + path: /etc/openvpn/ldap + state: directory + mode: '0755' + - name: Ensure the pam-ldap config for OpenVPN is in place. ansible.builtin.template: src: openvpn.ldap.j2 @@ -136,9 +154,32 @@ block: | # Let OpenVPN use PAM for authentication plugin {{ openvpn.pam.module_path }} openvpn - when: openvpn.pam.enabled || openvpn.ldap.enabled + when: openvpn.pam.enabled or openvpn.ldap.enabled notify: Restart OpenVPN. +# Tweak client config template +- name: Replace OpenVPN client tls-cipher. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' + line: "tls-cipher {{ openvpn.tls_cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.tls_cipher | length > 0 + +- name: Allow FQDN push routes. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + line: allow-pull-fqdn + when: openvpn.allow_pull_fqdn + +- name: Enforce username and password authentication. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + line: auth-user-pass + when: openvpn.auth_user_pass + # Installation complete - provide user information - name: Service notice. ansible.builtin.debug: diff --git a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 index e12d97e02..f621f7e2d 100644 --- a/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 +++ b/roles/debian/openvpn/templates/headless-openvpn-install.sh.j2 @@ -11,8 +11,8 @@ export DNS={{ openvpn.dns }} export COMPRESSION_ENABLED={{ openvpn.compression_enabled }} export COMPRESSION_CHOICE={{ openvpn.compression_choice }} export CUSTOMIZE_ENC=n -export CLIENT={{ openvpn.name }} -export PASS={{ openvpn.pass }} +export CLIENT={{ openvpn.test_username }} +export PASS=1 {% if openvpn.nat_endpoint is defined and openvpn.nat_endpoint | length %} export ENDPOINT={{ openvpn.nat_endpoint }} {% endif %} diff --git a/roles/debian/openvpn/templates/openvpn.ldap.j2 b/roles/debian/openvpn/templates/openvpn.ldap.j2 index 8001245d8..a769548ab 100644 --- a/roles/debian/openvpn/templates/openvpn.ldap.j2 +++ b/roles/debian/openvpn/templates/openvpn.ldap.j2 @@ -30,5 +30,5 @@ ssl on {% if openvpn.ldap.ssl_certificate_check is defined and not openvpn.ldap.ssl_certificate_check %} tls_checkpeer no {% endif %} -tls_cacertfile /etc/ldap/ssl/{{ openvpn.ldap.ssl_certificate }} +tls_cacertfile /etc/ldap/ssl/{{ openvpn.ldap.ssl_certificate | basename }} {% endif %} diff --git a/roles/debian/openvpn_config/README.md b/roles/debian/openvpn_config/README.md deleted file mode 100644 index 02bbd8167..000000000 --- a/roles/debian/openvpn_config/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/defaults/main.yml b/roles/debian/openvpn_config/defaults/main.yml deleted file mode 100644 index 6c711fe99..000000000 --- a/roles/debian/openvpn_config/defaults/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so diff --git a/roles/debian/openvpn_config/tasks/main.yml b/roles/debian/openvpn_config/tasks/main.yml deleted file mode 100644 index b07353521..000000000 --- a/roles/debian/openvpn_config/tasks/main.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -- name: "Ensure {{ openvpn_config.easyrsa_path }} exists." - ansible.builtin.file: - path: "{{ openvpn_config.easyrsa_path }}" - state: directory - owner: root - group: root - mode: "0755" - -# The Galaxy role creates the certs every time it runs using easy-rsa so we set a vars file: -# https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example -- name: Place easy-rsa vars file for SSL cert generation. - ansible.builtin.template: - src: vars.j2 - dest: "{{ openvpn_config.easyrsa_path }}/vars" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.install - -- name: Install OpenVPN server. - ansible.builtin.include_role: - name: robertdebock.openvpn - when: - - openvpn_config.install - -# Loop files from https://github.com/robertdebock/ansible-role-openvpn/blob/master/tasks/server.yml#L58 -- name: Ensure keys permission are correct. - ansible.builtin.file: - path: /etc/openvpn/server/{{ item | basename }} - mode: "0600" - loop: - - ca.crt - - dh.pem - - ta.key - - issued/client.crt - - issued/server.crt - - private/ca.key - - private/client.key - - private/server.key - -# Manipulate the server.conf file set by the OpenVPN role in Galaxy -- name: Prevent pushing DNS servers. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "dhcp-option DNS" - state: absent - -- name: Remove remote-cert-eku assumption. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "remote-cert-eku" - state: absent - -- name: Make forced redirect optional. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "redirect-gateway def1 bypass-dhcp" - state: absent - when: not openvpn_config.force_redirect_gateway - -- name: Enable VPN compression. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: comp-lzo - create: true - when: openvpn_config.compress - -- name: Set no client cert required. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: verify-client-cert none - create: true - when: openvpn_config.no_client_cert - -- name: Alter VPN IP range. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "server " - line: "{{ openvpn_config.server_ip_range }}" - -# Handle LDAP configuration -- name: Place LDAP CA cert. - ansible.builtin.copy: - src: "{{ openvpn_config.ldap.tls_cert_local }}" - dest: "{{ openvpn_config.ldap.tls_cert }}" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.ldap.tls_cert_local - - openvpn_config.ldap.install - -- name: Install OpenVPN LDAP auth package. - ansible.builtin.package: - name: openvpn-auth-ldap - state: present - when: openvpn_config.ldap.install - -- name: Ensure LDAP config directory exists. - ansible.builtin.file: - path: "{{ openvpn_config.configuration_directory }}/auth" - state: directory - mode: "0755" - when: openvpn_config.ldap.install - -- name: Place auth-ldap.conf file. - ansible.builtin.template: - src: auth-ldap.conf.j2 - dest: "{{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - owner: root - group: root - mode: "0644" - when: openvpn_config.ldap.install - -- name: Enable LDAP config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/openvpn/openvpn-auth-ldap.so {{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - create: true - when: openvpn_config.ldap.install - -# Handle PAM config -- name: Place openvpn PAM config. - ansible.builtin.template: - src: openvpn.j2 - dest: /etc/pam.d/openvpn - owner: root - group: root - mode: "0644" - when: openvpn_config.pam.install - -- name: Enable PAM config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" - create: true - when: openvpn_config.pam.install - -# Handle extra directives -- name: Create custom directives. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "{{ item }}" - create: true - loop: "{{ openvpn_config.custom_directives }}" - when: openvpn_config.custom_directives - -# @TODO this should be a handler if we change the LDAP config rather than a task -- name: Restart OpenVPN. - ansible.builtin.systemd: - name: "{{ openvpn_config.service }}" - state: restarted - daemon_reload: true diff --git a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 b/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 deleted file mode 100644 index bb3614af3..000000000 --- a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{{ ansible_managed | comment }} - - - # LDAP server URL - URL {{ openvpn_config.ldap.url }} - -{% if openvpn_config.ldap.tls %} - # Enable Start TLS - TLSEnable yes - # TLS CA Certificate File - TLSCACertFile {{ openvpn_config.ldap.tls_cert }} -{% else %} - # Enable Start TLS - TLSEnable no -{% endif %} - - # Network timeout (in seconds) - Timeout {{ openvpn_config.ldap.timeout }} - - - - # Base DN - BaseDN "{{ openvpn_config.ldap.basedn }}" - - # User Search Filter - SearchFilter "{{ openvpn_config.ldap.search_filter }}" - - # Require Group Membership - RequireGroup {{ openvpn_config.ldap.require_group }} - - - #RFC2307bis false - BaseDN "{{ openvpn_config.ldap.group_basedn }}" - SearchFilter "{{ openvpn_config.ldap.group_filter }}" - MemberAttribute memberUid - # Add group members to a PF table (disabled) - #PFTable ips_vpn_eng - - diff --git a/roles/debian/openvpn_config/templates/openvpn.j2 b/roles/debian/openvpn_config/templates/openvpn.j2 deleted file mode 100644 index 97a46ddd3..000000000 --- a/roles/debian/openvpn_config/templates/openvpn.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_managed | comment }} - -{{ openvpn_config.pam.pam_config }} diff --git a/roles/debian/openvpn_config/templates/vars.j2 b/roles/debian/openvpn_config/templates/vars.j2 deleted file mode 100644 index d19baead5..000000000 --- a/roles/debian/openvpn_config/templates/vars.j2 +++ /dev/null @@ -1,222 +0,0 @@ -{{ ansible_managed | comment }} - -# Easy-RSA 3 parameter settings - -# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit -# this file in place -- instead, you should copy the entire easy-rsa directory -# to another location so future upgrades don't wipe out your changes. - -# HOW TO USE THIS FILE -# -# vars.example contains built-in examples to Easy-RSA settings. You MUST name -# this file 'vars' if you want it to be used as a configuration file. If you do -# not, it WILL NOT be automatically read when you call easyrsa commands. -# -# It is not necessary to use this config file unless you wish to change -# operational defaults. These defaults should be fine for many uses without the -# need to copy and edit the 'vars' file. -# -# All of the editable settings are shown commented and start with the command -# 'set_var' -- this means any set_var command that is uncommented has been -# modified by the user. If you're happy with a default, there is no need to -# define the value to its default. - -# NOTES FOR WINDOWS USERS -# -# Paths for Windows *MUST* use forward slashes, or optionally double-escaped -# backslashes (single forward slashes are recommended.) This means your path to -# the openssl binary might look like this: -# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# A little housekeeping: DON'T EDIT THIS SECTION -# -# Easy-RSA 3.x doesn't source into the environment directly. -# Complain if a user tries to do this: -if [ -z "$EASYRSA_CALLER" ]; then - echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 - echo "This is no longer necessary and is disallowed. See the section called" >&2 - echo "'How to use this file' near the top comments for more details." >&2 - return 1 -fi - -# DO YOUR EDITS BELOW THIS POINT - -# This variable is used as the base location of configuration files needed by -# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) -# may override this default. -# -# The default value of this variable is the location of the easyrsa script -# itself, which is also where the configuration files are located in the -# easy-rsa tree. - -#set_var EASYRSA "${0%/*}" - -# If your OpenSSL command is not in the system PATH, you will need to define the -# path to it here. Normally this means a full path to the executable, otherwise -# you could have left it undefined here and the shown default would be used. -# -# Windows users, remember to use paths with forward-slashes (or escaped -# back-slashes.) Windows users should declare the full path to the openssl -# binary here if it is not in their system PATH. - -#set_var EASYRSA_OPENSSL "openssl" -# -# This sample is in Windows syntax -- edit it for your path if not using PATH: -#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# Edit this variable to point to your soon-to-be-created key directory. By -# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the -# directory you are currently in). -# -# WARNING: init-pki will do a rm -rf on this directory so make sure you define -# it correctly! (Interactive mode will prompt before acting.) - -#set_var EASYRSA_PKI "$PWD/pki" - -# Define directory for temporary subdirectories. - -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - -# Define X509 DN mode. -# This is used to adjust what elements are included in the Subject field as the DN -# (this is the "Distinguished Name.") -# Note that in cn_only mode the Organizational fields further below aren't used. -# -# Choices are: -# cn_only - use just a CN value -# org - use the "traditional" Country/Province/City/Org/OU/email/CN format - -set_var EASYRSA_DN "{{ openvpn_config.certs.dn_mode }}" - -# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) -# These are the default values for fields which will be placed in the -# certificate. Don't leave any of these fields blank, although interactively -# you may omit any specific field by typing the "." symbol (not valid for -# email.) - -set_var EASYRSA_REQ_COUNTRY "{{ openvpn_config.certs.country }}" -set_var EASYRSA_REQ_PROVINCE "{{ openvpn_config.certs.province }}" -set_var EASYRSA_REQ_CITY "{{ openvpn_config.certs.city }}" -set_var EASYRSA_REQ_ORG "{{ openvpn_config.certs.org }}" -set_var EASYRSA_REQ_EMAIL "{{ openvpn_config.certs.email }}" -set_var EASYRSA_REQ_OU "{{ openvpn_config.certs.org_unit }}" - -# Choose a size in bits for your keypairs. The recommended value is 2048. Using -# 2048-bit keys is considered more than sufficient for many years into the -# future. Larger keysizes will slow down TLS negotiation and make key/DH param -# generation take much longer. Values up to 4096 should be accepted by most -# software. Only used when the crypto alg is rsa (see below.) - -#set_var EASYRSA_KEY_SIZE 2048 - -# The default crypto mode is rsa; ec can enable elliptic curve support. -# Note that not all software supports ECC, so use care when enabling it. -# Choices for crypto alg are: (each in lower-case) -# * rsa -# * ec -# * ed - -#set_var EASYRSA_ALGO rsa - -# Define the named curve, used in ec & ed modes: - -#set_var EASYRSA_CURVE secp384r1 - -# In how many days should the root CA key expire? - -#set_var EASYRSA_CA_EXPIRE 3650 - -# In how many days should certificates expire? - -#set_var EASYRSA_CERT_EXPIRE 825 - -# How many days until the next CRL publish date? Note that the CRL can still be -# parsed after this timeframe passes. It is only used for an expected next -# publication date. -#set_var EASYRSA_CRL_DAYS 180 - -# How many days before its expiration date a certificate is allowed to be -# renewed? -#set_var EASYRSA_CERT_RENEW 30 - -# Random serial numbers by default, set to no for the old incremental serial numbers -# -#set_var EASYRSA_RAND_SN "yes" - -# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default -# is "no" to discourage use of deprecated extensions. If you require this -# feature to use with --ns-cert-type, set this to "yes" here. This support -# should be replaced with the more modern --remote-cert-tls feature. If you do -# not use --ns-cert-type in your configs, it is safe (and recommended) to leave -# this defined to "no". When set to "yes", server-signed certs get the -# nsCertType=server attribute, and also get any NS_COMMENT defined below in the -# nsComment field. - -#set_var EASYRSA_NS_SUPPORT "no" - -# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. -# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. - -#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - -# A temp file used to stage cert extensions during signing. The default should -# be fine for most users; however, some users might want an alternative under a -# RAM-based FS, such as /dev/shm or /tmp on some systems. - -#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" - -# !! -# NOTE: ADVANCED OPTIONS BELOW THIS POINT -# PLAY WITH THEM AT YOUR OWN RISK -# !! - -# Broken shell command aliases: If you have a largely broken shell that is -# missing any of these POSIX-required commands used by Easy-RSA, you will need -# to define an alias to the proper path for the command. The symptom will be -# some form of a 'command not found' error from your shell. This means your -# shell is BROKEN, but you can hack around it here if you really need. These -# shown values are not defaults: it is up to you to know what you're doing if -# you touch these. -# -#alias awk="/alt/bin/awk" -#alias cat="/alt/bin/cat" - -# X509 extensions directory: -# If you want to customize the X509 extensions used, set the directory to look -# for extensions here. Each cert type you sign must have a matching filename, -# and an optional file named 'COMMON' is included first when present. Note that -# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then -# fallback to $EASYRSA for the 'x509-types' dir. You may override this -# detection with an explicit dir here. -# -#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" - -# If you want to generate KDC certificates, you need to set the realm here. -#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - -# OpenSSL config file: -# If you need to use a specific openssl config file, you can reference it here. -# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the -# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA -# specific and you cannot just use a standard config file, so this is an -# advanced feature. - -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" - -# Default CN: -# This is best left alone. Interactively you will set this manually, and BATCH -# callers are expected to set this themselves. - -set_var EASYRSA_REQ_CN "{{ openvpn_config.certs.cn }}" - -# Cryptographic digest to use. -# Do not change this default unless you understand the security implications. -# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 - -#set_var EASYRSA_DIGEST "sha256" - -# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly -# in batch mode without any user input, confirmation on dangerous operations, -# or most output. Setting this to any non-blank string enables batch mode. - -#set_var EASYRSA_BATCH "" diff --git a/roles/debian/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml index 4858bbb55..e965e8458 100644 --- a/roles/debian/php-fpm/tasks/main.yml +++ b/roles/debian/php-fpm/tasks/main.yml @@ -16,7 +16,6 @@ loop_control: loop_var: version - - name: Copy default pool configuration for a single, fixed port PHP version. ansible.builtin.template: dest: "/etc/php/{{ php.version[0] }}/fpm/pool.d/www.conf" From 637455d3ae6fb1f75c7695e1e2c2a3bf78f85cb8 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 5 Jan 2024 17:42:55 +0100 Subject: [PATCH 035/331] Supporting a fixed PHP version with a fixed port number. (#1307) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! --- roles/debian/php-fpm/templates/www.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 index 26e5b4ac1..fb10d2865 100755 --- a/roles/debian/php-fpm/templates/www.conf.j2 +++ b/roles/debian/php-fpm/templates/www.conf.j2 @@ -1,7 +1,6 @@ [www] user = {{ php.fpm.pool_user }} group = {{ php.fpm.pool_group }} -listen = 127.0.0.1:90{{ version | replace('.','') }} listen = {% if php.fpm.unix_socket %}'/var/run/php{{ version | replace('.','') }}-fpm.sock'{% else %}127.0.0.1:90{{ version | replace('.','') }}{% endif %} listen.owner = {{ php.fpm.pool_user }} From 2abeba72dab87689d0a71af349ed238da26d6ae1 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 9 Jan 2024 19:32:17 +0100 Subject: [PATCH 036/331] Bug fixes 2.x pr 2.x (#1350) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. --- roles/debian/gitlab_runner/tasks/main.yml | 25 +++++++++++-------- .../gitlab_runner/templates/fargate.toml.j2 | 2 +- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 2601d8e4f..37a30227a 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -35,18 +35,21 @@ # gitlab-runner register --url https://gitlab.com/ --registration-token TOKEN_HERE --name fargate-test-runner --run-untagged --executor custom -n # This will automatically update /etc/gitlab-runner/config.toml +# @TODO this needs rethinking, we cannot delegate include_role! +# Replace security_group in template with _aws_security_group_list[0] when resolved + # Populates the _aws_security_group_list variable used in fargate.toml.j2 -- name: Generate security group information. - ansible.builtin.include_role: - name: aws/aws_security_groups - vars: - profile: "{{ aws_elasticache.aws_profile }}" - region: "{{ aws_elasticache.region }}" - group_names: - - "{{ gitlab_runner.fargate.security_group }}" - return_type: ids - when: gitlab_runner.install_fargate - delegate_to: localhost +#- name: Generate security group information. +# ansible.builtin.include_role: +# name: aws/aws_security_groups +# vars: +# profile: "{{ gitlab_runner.fargate.region }}" +# region: "{{ gitlab_runner.fargate.region }}" +# group_names: +# - "{{ gitlab_runner.fargate.security_group }}" +# return_type: ids +# when: gitlab_runner.install_fargate +# delegate_to: localhost - name: Create the Fargate driver directory if it does not exist. ansible.builtin.file: diff --git a/roles/debian/gitlab_runner/templates/fargate.toml.j2 b/roles/debian/gitlab_runner/templates/fargate.toml.j2 index 6af78fc5a..c32c3633a 100644 --- a/roles/debian/gitlab_runner/templates/fargate.toml.j2 +++ b/roles/debian/gitlab_runner/templates/fargate.toml.j2 @@ -5,7 +5,7 @@ LogFormat = "text" Cluster = "{{ gitlab_runner.fargate.cluster }}" Region = "{{ gitlab_runner.fargate.region }}" Subnet = "{{ gitlab_runner.fargate.subnet }}" - SecurityGroup = "{{ _aws_security_group_list[0] }}" + SecurityGroup = "{{ gitlab_runner.fargate.security_group }}" TaskDefinition = "{{ gitlab_runner.fargate.task_definition }}" EnablePublicIP = {{ gitlab_runner.fargate.public_ip }} PlatformVersion = "{{ gitlab_runner.fargate.version }}" From 7f08721c19c49aebbb5b1ef0fb083d4afcc782cc Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 10 Jan 2024 13:14:46 +0100 Subject: [PATCH 037/331] Adding Drazen's 'swap' role to 2.x. (#1344) * Adding Drazen's 'swap' role to 2.x. * Re-deleting openvpn_config. * Re-removing php-fpm lines. * Defaults variable names incorrect. --- docs/_Sidebar.md | 1 + docs/roles/debian/swap.md | 19 +++++++++++++ roles/debian/swap/README.md | 19 +++++++++++++ roles/debian/swap/defaults/main.yml | 5 ++++ roles/debian/swap/tasks/main.yml | 44 +++++++++++++++++++++++++++++ 5 files changed, 88 insertions(+) create mode 100644 docs/roles/debian/swap.md create mode 100644 roles/debian/swap/README.md create mode 100644 roles/debian/swap/defaults/main.yml create mode 100644 roles/debian/swap/tasks/main.yml diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index d025e418c..aa59208c8 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -76,6 +76,7 @@ - [SSHD](/roles/debian/ssh_server) - [SSL](/roles/debian/ssl) - [sudo config](/roles/debian/sudo_config) + - [General swap role to add swap space](/roles/debian/swap) - [varnish-config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) - [Init role](/roles/_init) diff --git a/docs/roles/debian/swap.md b/docs/roles/debian/swap.md new file mode 100644 index 000000000..8bfeaa59c --- /dev/null +++ b/docs/roles/debian/swap.md @@ -0,0 +1,19 @@ +# General swap role to add swap space + +By default, role is set to add 2G of swap space. + + + + + +## Default variables +```yaml +--- +swap: + count: 2048 + size: "2G" + swap_space: swapfile + +``` + + diff --git a/roles/debian/swap/README.md b/roles/debian/swap/README.md new file mode 100644 index 000000000..8bfeaa59c --- /dev/null +++ b/roles/debian/swap/README.md @@ -0,0 +1,19 @@ +# General swap role to add swap space + +By default, role is set to add 2G of swap space. + + + + + +## Default variables +```yaml +--- +swap: + count: 2048 + size: "2G" + swap_space: swapfile + +``` + + diff --git a/roles/debian/swap/defaults/main.yml b/roles/debian/swap/defaults/main.yml new file mode 100644 index 000000000..61873e331 --- /dev/null +++ b/roles/debian/swap/defaults/main.yml @@ -0,0 +1,5 @@ +--- +swap: + count: 2048 + size: "2G" + swap_space: swapfile diff --git a/roles/debian/swap/tasks/main.yml b/roles/debian/swap/tasks/main.yml new file mode 100644 index 000000000..ea1244d13 --- /dev/null +++ b/roles/debian/swap/tasks/main.yml @@ -0,0 +1,44 @@ +--- +- name: Set swap_file variable. + ansible.builtin.set_fact: + swap_file: "/{{ swap.swap_space }}.swap" + +- name: Check if swap file exists. + ansible.builtin.stat: + path: "{{ swap_file }}" + register: swap_file_check + +- name: Create swap file. + ansible.builtin.command: + cmd: fallocate -l {{ swap.size }} {{ swap_file }} + when: not swap_file_check.stat.exists + +- name: Create swap space. + ansible.builtin.command: + cmd: dd if=/dev/zero of={{ swap_file }} bs=1M count={{ swap.count }} + when: not swap_file_check.stat.exists + +- name: Set permissions on swap file. + ansible.builtin.file: + path: "{{ swap_file }}" + mode: 0600 + +- name: Format swap file. + ansible.builtin.command: + cmd: mkswap {{ swap_file }} + when: not swap_file_check.stat.exists + +- name: Add to fstab. + ansible.builtin.lineinfile: + path: '/etc/fstab' + regexp: '^{{ swap_file }}' + line: "{{ swap_file }} none swap sw 0 0" + +- name: Turn on swap. + ansible.builtin.command: + cmd: swapon -a + +- name: Set swapiness. + ansible.posix.sysctl: + name: vm.swappiness + value: "1" From f44fb62965716b8c99d372eb92336b2c0c5590d1 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 10 Jan 2024 13:46:48 +0100 Subject: [PATCH 038/331] Bug fixes 2.x pr 2.x (#1352) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. --- docs/roles/debian/ansible.md | 3 ++- docs/roles/debian/ce_deploy.md | 1 + docs/roles/debian/ce_provision.md | 1 + docs/roles/debian/gitlab_runner.md | 1 + roles/debian/ansible/README.md | 3 ++- roles/debian/ansible/defaults/main.yml | 3 ++- roles/debian/ansible/tasks/main.yml | 7 ++--- roles/debian/ce_deploy/README.md | 1 + roles/debian/ce_deploy/defaults/main.yml | 1 + roles/debian/ce_deploy/tasks/main.yml | 1 + roles/debian/ce_provision/README.md | 1 + roles/debian/ce_provision/defaults/main.yml | 1 + roles/debian/ce_provision/tasks/main.yml | 1 + roles/debian/gitlab_runner/README.md | 1 + roles/debian/gitlab_runner/defaults/main.yml | 1 + roles/debian/gitlab_runner/tasks/main.yml | 26 +++++++++---------- .../gitlab_runner/templates/fargate.toml.j2 | 2 +- 17 files changed, 34 insertions(+), 21 deletions(-) diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index 7e0015fd9..b7dfe0dbc 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -11,9 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 66d7402b2..d020663ab 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -14,6 +14,7 @@ ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_deploy.username }}" # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 741ca5a6c..e8f83ea13 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -15,6 +15,7 @@ ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_provision.username }}" # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md index 52554ced5..10829036f 100644 --- a/docs/roles/debian/gitlab_runner.md +++ b/docs/roles/debian/gitlab_runner.md @@ -48,6 +48,7 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name + profile: "{{ _aws_profile }}" region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index 7e0015fd9..b7dfe0dbc 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -11,9 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml index 746251010..f58a026b0 100644 --- a/roles/debian/ansible/defaults/main.yml +++ b/roles/debian/ansible/defaults/main.yml @@ -1,8 +1,9 @@ --- ce_ansible: - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 722690a64..4aac433a9 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -10,6 +10,7 @@ state: absent executable: pip3 when: ansible_distribution_major_version | int < 12 + failed_when: false # don't stop the build if there's no system pip - name: Set up Python packages. ansible.builtin.include_role: @@ -23,7 +24,7 @@ virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Install Ansible. ansible.builtin.pip: @@ -32,7 +33,7 @@ virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Install linters. ansible.builtin.pip: @@ -43,7 +44,7 @@ virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" when: ce_ansible.linters.enabled become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Add the venv to $PATH using profile.d. ansible.builtin.copy: diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 66d7402b2..d020663ab 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -14,6 +14,7 @@ ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_deploy.username }}" # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 92fefc0ed..52bd86415 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -6,6 +6,7 @@ ce_deploy: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_deploy.username }}" # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 723ef9f57..a9d607723 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -132,6 +132,7 @@ ansible.builtin.set_fact: _venv_path: "{{ ce_deploy.venv_path }}" _venv_command: "{{ ce_deploy.venv_command }}" + _install_username: "{{ ce_deploy.install_username }}" - name: Install Ansible. ansible.builtin.include_role: diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 741ca5a6c..e8f83ea13 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -15,6 +15,7 @@ ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_provision.username }}" # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index f69f7c939..4c266e3e0 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -7,6 +7,7 @@ ce_provision: # Location of Ansible installation and components. venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv + install_username: "{{ _ce_provision.username }}" # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 36b38bc8b..ca59d5928 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -140,6 +140,7 @@ ansible.builtin.set_fact: _venv_path: "{{ ce_provision.venv_path }}" _venv_command: "{{ ce_provision.venv_command }}" + _install_username: "{{ ce_provision.install_username }}" - name: Install Ansible. ansible.builtin.include_role: diff --git a/roles/debian/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md index 52554ced5..10829036f 100644 --- a/roles/debian/gitlab_runner/README.md +++ b/roles/debian/gitlab_runner/README.md @@ -48,6 +48,7 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name + profile: "{{ _aws_profile }}" region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name diff --git a/roles/debian/gitlab_runner/defaults/main.yml b/roles/debian/gitlab_runner/defaults/main.yml index 845371447..ba1c1d48e 100644 --- a/roles/debian/gitlab_runner/defaults/main.yml +++ b/roles/debian/gitlab_runner/defaults/main.yml @@ -36,6 +36,7 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name + profile: "{{ _aws_profile }}" region: "eu-west-1" # AWS region name subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 37a30227a..685b0bfc2 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -35,21 +35,19 @@ # gitlab-runner register --url https://gitlab.com/ --registration-token TOKEN_HERE --name fargate-test-runner --run-untagged --executor custom -n # This will automatically update /etc/gitlab-runner/config.toml -# @TODO this needs rethinking, we cannot delegate include_role! -# Replace security_group in template with _aws_security_group_list[0] when resolved - # Populates the _aws_security_group_list variable used in fargate.toml.j2 -#- name: Generate security group information. -# ansible.builtin.include_role: -# name: aws/aws_security_groups -# vars: -# profile: "{{ gitlab_runner.fargate.region }}" -# region: "{{ gitlab_runner.fargate.region }}" -# group_names: -# - "{{ gitlab_runner.fargate.security_group }}" -# return_type: ids -# when: gitlab_runner.install_fargate -# delegate_to: localhost +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + apply: + delegate_to: localhost # this is how you delegate the include_role module + vars: + profile: "{{ gitlab_runner.fargate.profile }}" + region: "{{ gitlab_runner.fargate.region }}" + group_names: + - "{{ gitlab_runner.fargate.security_group }}" + return_type: ids + when: gitlab_runner.install_fargate - name: Create the Fargate driver directory if it does not exist. ansible.builtin.file: diff --git a/roles/debian/gitlab_runner/templates/fargate.toml.j2 b/roles/debian/gitlab_runner/templates/fargate.toml.j2 index c32c3633a..6af78fc5a 100644 --- a/roles/debian/gitlab_runner/templates/fargate.toml.j2 +++ b/roles/debian/gitlab_runner/templates/fargate.toml.j2 @@ -5,7 +5,7 @@ LogFormat = "text" Cluster = "{{ gitlab_runner.fargate.cluster }}" Region = "{{ gitlab_runner.fargate.region }}" Subnet = "{{ gitlab_runner.fargate.subnet }}" - SecurityGroup = "{{ gitlab_runner.fargate.security_group }}" + SecurityGroup = "{{ _aws_security_group_list[0] }}" TaskDefinition = "{{ gitlab_runner.fargate.task_definition }}" EnablePublicIP = {{ gitlab_runner.fargate.public_ip }} PlatformVersion = "{{ gitlab_runner.fargate.version }}" From 35c12700bd7c1699774e31bc94e38457624b6547 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 10 Jan 2024 18:02:12 +0100 Subject: [PATCH 039/331] Bug fixes 2.x pr 2.x (#1357) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. --- docs/roles/debian/python_boto.md | 2 ++ roles/debian/python_boto/README.md | 2 ++ roles/debian/python_boto/defaults/main.yml | 3 ++- roles/debian/python_boto/tasks/main.yml | 2 +- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/roles/debian/python_boto.md b/docs/roles/debian/python_boto.md index ee3e99a52..268af9614 100644 --- a/docs/roles/debian/python_boto.md +++ b/docs/roles/debian/python_boto.md @@ -12,6 +12,8 @@ python_boto: # These are usually set within another role using _venv_path and _venv_command but can be overridden. #venv_path: /path/to/venv #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv + ``` diff --git a/roles/debian/python_boto/README.md b/roles/debian/python_boto/README.md index ee3e99a52..268af9614 100644 --- a/roles/debian/python_boto/README.md +++ b/roles/debian/python_boto/README.md @@ -12,6 +12,8 @@ python_boto: # These are usually set within another role using _venv_path and _venv_command but can be overridden. #venv_path: /path/to/venv #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv + ``` diff --git a/roles/debian/python_boto/defaults/main.yml b/roles/debian/python_boto/defaults/main.yml index 489e33ef6..69daa3a62 100644 --- a/roles/debian/python_boto/defaults/main.yml +++ b/roles/debian/python_boto/defaults/main.yml @@ -2,4 +2,5 @@ python_boto: boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest # These are usually set within another role using _venv_path and _venv_command but can be overridden. #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv \ No newline at end of file + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index 8b989f63c..c89cc37e6 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -15,4 +15,4 @@ virtualenv: "{{ python_boto.venv_path | default(_venv_path) }}" virtualenv_command: "{{ python_boto.venv_command | default(_venv_command) }}" become: true - become_user: "{{ ce_provision.username }}" + become_user: "{{ python_boto.install_username | default(_install_username) }}" From 4743f88b043a3df8c6a7d7e86c3d6a031f4404e0 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 11 Jan 2024 14:25:35 +0100 Subject: [PATCH 040/331] Bug fixes 2.x pr 2.x (#1359) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. --- .../aws_ec2_autoscale_cluster/tasks/main.yml | 18 ++++++++++-------- roles/aws/aws_ec2_with_eip/tasks/main.yml | 9 +++++---- roles/aws/aws_efs/tasks/main.yml | 9 +++++---- roles/aws/aws_elasticache/tasks/main.yml | 9 +++++---- roles/aws/aws_elb/tasks/main.yml | 9 +++++---- roles/aws/aws_opensearch/tasks/main.yml | 9 +++++---- roles/aws/aws_rds/tasks/main.yml | 9 +++++---- roles/debian/ansible/tasks/main.yml | 11 ++++++++--- roles/debian/gitlab_runner/tasks/main.yml | 11 ++++++----- scripts/_common.sh | 10 ++++++---- 10 files changed, 60 insertions(+), 44 deletions(-) diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 70597d699..611ba383c 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -379,10 +379,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" - region: "{{ aws_ec2_autoscale_cluster.region }}" - group_names: "{{ aws_ec2_autoscale_cluster.alb_security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + region: "{{ aws_ec2_autoscale_cluster.region }}" + group_names: "{{ aws_ec2_autoscale_cluster.alb_security_groups }}" + return_type: ids when: - aws_ec2_autoscale_cluster.alb_security_groups | length > 0 - aws_ec2_autoscale_cluster.create_elb @@ -425,10 +426,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" - region: "{{ aws_ec2_autoscale_cluster.region }}" - group_names: "{{ aws_ec2_autoscale_cluster.cluster_security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + region: "{{ aws_ec2_autoscale_cluster.region }}" + group_names: "{{ aws_ec2_autoscale_cluster.cluster_security_groups }}" + return_type: ids when: - aws_ec2_autoscale_cluster.cluster_security_groups | length > 0 - aws_ec2_autoscale_cluster.asg_refresh diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml index 06aaec917..fea2c4ecb 100644 --- a/roles/aws/aws_ec2_with_eip/tasks/main.yml +++ b/roles/aws/aws_ec2_with_eip/tasks/main.yml @@ -95,10 +95,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_ec2_with_eip.aws_profile }}" - region: "{{ aws_ec2_with_eip.region }}" - group_names: "{{ aws_ec2_with_eip.security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_ec2_with_eip.aws_profile }}" + region: "{{ aws_ec2_with_eip.region }}" + group_names: "{{ aws_ec2_with_eip.security_groups }}" + return_type: ids when: aws_ec2_with_eip.security_groups | length > 0 # Do not create an instance if _aws_hostname is not an EC2 generated address unless `force: true` diff --git a/roles/aws/aws_efs/tasks/main.yml b/roles/aws/aws_efs/tasks/main.yml index 6e07019b5..b7351ebd8 100644 --- a/roles/aws/aws_efs/tasks/main.yml +++ b/roles/aws/aws_efs/tasks/main.yml @@ -3,10 +3,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_efs.aws_profile }}" - region: "{{ aws_efs.region }}" - group_names: "{{ aws_efs.security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_efs.aws_profile }}" + region: "{{ aws_efs.region }}" + group_names: "{{ aws_efs.security_groups }}" + return_type: ids when: aws_efs.security_groups | length > 0 - name: Reset subnet ids info diff --git a/roles/aws/aws_elasticache/tasks/main.yml b/roles/aws/aws_elasticache/tasks/main.yml index 83c64efd8..7c75d36eb 100644 --- a/roles/aws/aws_elasticache/tasks/main.yml +++ b/roles/aws/aws_elasticache/tasks/main.yml @@ -3,10 +3,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_elasticache.aws_profile }}" - region: "{{ aws_elasticache.region }}" - group_names: "{{ aws_elasticache.elasticache_security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_elasticache.aws_profile }}" + region: "{{ aws_elasticache.region }}" + group_names: "{{ aws_elasticache.elasticache_security_groups }}" + return_type: ids when: aws_elasticache.elasticache_security_groups | length > 0 - name: Create ElastiCache subnet group. diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 4c4416338..a47f372ad 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -113,10 +113,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_elb.aws_profile }}" - region: "{{ aws_elb.region }}" - group_names: "{{ aws_elb.elb_security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_elb.aws_profile }}" + region: "{{ aws_elb.region }}" + group_names: "{{ aws_elb.elb_security_groups }}" + return_type: ids when: aws_elb.elb_security_groups | length > 0 - name: Create the ALB. diff --git a/roles/aws/aws_opensearch/tasks/main.yml b/roles/aws/aws_opensearch/tasks/main.yml index f43b79bb0..39368148a 100644 --- a/roles/aws/aws_opensearch/tasks/main.yml +++ b/roles/aws/aws_opensearch/tasks/main.yml @@ -4,10 +4,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_opensearch.aws_profile }}" - region: "{{ aws_opensearch.region }}" - group_names: "{{ aws_opensearch.security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_opensearch.aws_profile }}" + region: "{{ aws_opensearch.region }}" + group_names: "{{ aws_opensearch.security_groups }}" + return_type: ids when: aws_opensearch.security_groups | length > 0 - name: Get the current AWS account caller identity information diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 416dd30b4..85301323d 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -67,10 +67,11 @@ ansible.builtin.include_role: name: aws/aws_security_groups vars: - profile: "{{ aws_rds.aws_profile }}" - region: "{{ aws_rds.region }}" - group_names: "{{ aws_rds.security_groups }}" - return_type: ids + aws_security_groups: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + group_names: "{{ aws_rds.security_groups }}" + return_type: ids when: aws_rds.security_groups | length > 0 - name: Create RDS instance diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 4aac433a9..7ea4f100d 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -4,12 +4,17 @@ pkg: ansible state: absent -- name: Ensure Ansible is not installed globally with pip3 on older versions of Debian. +- name: Ensure Ansible is not installed globally with pip or pip3 on older versions of Debian. ansible.builtin.pip: - name: ansible + name: + - ansible + - ansible-core state: absent - executable: pip3 + executable: "{{ item }}" when: ansible_distribution_major_version | int < 12 + with_items: + - pip + - pip3 failed_when: false # don't stop the build if there's no system pip - name: Set up Python packages. diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 685b0bfc2..47b32ac4c 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -42,11 +42,12 @@ apply: delegate_to: localhost # this is how you delegate the include_role module vars: - profile: "{{ gitlab_runner.fargate.profile }}" - region: "{{ gitlab_runner.fargate.region }}" - group_names: - - "{{ gitlab_runner.fargate.security_group }}" - return_type: ids + aws_security_groups: + profile: "{{ gitlab_runner.fargate.profile }}" + region: "{{ gitlab_runner.fargate.region }}" + group_names: + - "{{ gitlab_runner.fargate.security_group }}" + return_type: ids when: gitlab_runner.install_fargate - name: Create the Fargate driver directory if it does not exist. diff --git a/scripts/_common.sh b/scripts/_common.sh index 0da872d6f..a1aae6923 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -34,10 +34,12 @@ if [ ! -d "$ANSIBLE_DATA_DIR" ]; then mkdir "$ANSIBLE_DATA_DIR" fi # Load the contents of profile.d in case we added items to $PATH there. -for f in /etc/profile.d/*; do -# shellcheck source=/dev/null - . "$f" -done +if [ -n "$(ls -A /etc/profile.d)" ]; then + for f in /etc/profile.d/*; do + # shellcheck source=/dev/null + . "$f" + done +fi # Parse options arguments. parse_options(){ while [ "${1:-}" ]; do From 4616bd5f0549a4e42ff4526f25dd86237fdfa387 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 12 Jan 2024 10:06:07 +0100 Subject: [PATCH 041/331] Bug fixes 2.x pr 2.x (#1361) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. --- roles/debian/ldap_server/meta/main.yml | 3 --- roles/debian/ldap_server/tasks/main.yml | 13 +++++++++++++ roles/debian/mysql_client/meta/main.yml | 3 --- roles/debian/mysql_client/tasks/main.yml | 13 +++++++++++++ roles/debian/nginx/meta/main.yml | 3 --- roles/debian/nginx/tasks/main.yml | 13 +++++++++++++ roles/debian/python_common/defaults/main.yml | 1 - scripts/_common.sh | 11 ++++++++++- scripts/provision.sh | 1 + 9 files changed, 50 insertions(+), 11 deletions(-) delete mode 100644 roles/debian/ldap_server/meta/main.yml delete mode 100644 roles/debian/mysql_client/meta/main.yml delete mode 100644 roles/debian/nginx/meta/main.yml diff --git a/roles/debian/ldap_server/meta/main.yml b/roles/debian/ldap_server/meta/main.yml deleted file mode 100644 index 551567003..000000000 --- a/roles/debian/ldap_server/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/python_common diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 9a773da58..bf2c0d3d1 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -14,6 +14,19 @@ purge: true when: ldap_server.slapd.purge +- name: Set up Python packages. + ansible.builtin.include_role: + name: debian/python_common + vars: + python_common: + remove_packages: + - python-pip + - python3-yaml + - python-botocore + - python-urllib3 + install_packages: + - python3-pip + - name: Ensure LDAP and python-ldap and dependencies are installed. ansible.builtin.apt: pkg: ["slapd", "ldapscripts", "libldap2-dev"] diff --git a/roles/debian/mysql_client/meta/main.yml b/roles/debian/mysql_client/meta/main.yml deleted file mode 100644 index 551567003..000000000 --- a/roles/debian/mysql_client/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/python_common diff --git a/roles/debian/mysql_client/tasks/main.yml b/roles/debian/mysql_client/tasks/main.yml index d17123205..2ecca067e 100644 --- a/roles/debian/mysql_client/tasks/main.yml +++ b/roles/debian/mysql_client/tasks/main.yml @@ -6,6 +6,19 @@ update_cache: true cache_valid_time: 240 +- name: Set up Python packages. + ansible.builtin.include_role: + name: debian/python_common + vars: + python_common: + remove_packages: + - python-pip + - python3-yaml + - python-botocore + - python-urllib3 + install_packages: + - python3-pip + - name: Ensure PyMySQL is installed with pip3. ansible.builtin.pip: name: pymysql diff --git a/roles/debian/nginx/meta/main.yml b/roles/debian/nginx/meta/main.yml deleted file mode 100644 index 551567003..000000000 --- a/roles/debian/nginx/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/python_common diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 60a8c4246..0388ed007 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -6,6 +6,19 @@ update_cache: true cache_valid_time: 240 +- name: Set up Python packages. + ansible.builtin.include_role: + name: debian/python_common + vars: + python_common: + remove_packages: + - python-pip + - python3-yaml + - python-botocore + - python-urllib3 + install_packages: + - python3-pip + - name: Ensure passlib is installed with pip3. ansible.builtin.pip: name: passlib diff --git a/roles/debian/python_common/defaults/main.yml b/roles/debian/python_common/defaults/main.yml index afb3840df..59c3c7e72 100644 --- a/roles/debian/python_common/defaults/main.yml +++ b/roles/debian/python_common/defaults/main.yml @@ -8,5 +8,4 @@ python_common: install_packages: - python3-distutils - python3-venv - - python3-pip - cloud-init # package can get removed with python3-yaml but we need it for auto-scale \ No newline at end of file diff --git a/scripts/_common.sh b/scripts/_common.sh index a1aae6923..da5277ef9 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -12,6 +12,7 @@ TARGET_PROVISION_BRANCH="" ANSIBLE_EXTRA_VARS="" ANSIBLE_DEFAULT_EXTRA_VARS="" ANSIBLE_PATH="" +PYTHON_INTERPRETER="" BUILD_WORKSPACE="" BUILD_WORKSPACE_BASE="$OWN_DIR/build" BUILD_ID="" @@ -101,6 +102,10 @@ parse_options(){ shift ANSIBLE_PATH="$1" ;; + "--python-interpreter") + shift + PYTHON_INTERPRETER="$1" + ;; *) usage exit 1 @@ -123,7 +128,11 @@ get_build_workspace(){ # Common extra-vars to pass to Ansible. get_ansible_defaults_vars(){ get_build_id - ANSIBLE_DEFAULT_EXTRA_VARS="{_ce_provision_base_dir: $OWN_DIR, _ce_provision_build_dir: $BUILD_WORKSPACE, _ce_provision_build_tmp_dir: $BUILD_TMP_DIR, _ce_provision_data_dir: $ANSIBLE_DATA_DIR, _ce_provision_build_id: $BUILD_ID, _ce_provision_force_play: $FORCE_PLAY, target_branch: $TARGET_PROVISION_BRANCH}" + if [ -n "$PYTHON_INTERPRETER" ]; then + ANSIBLE_DEFAULT_EXTRA_VARS="{ansible_python_interpreter: $PYTHON_INTERPRETER, _ce_provision_base_dir: $OWN_DIR, _ce_provision_build_dir: $BUILD_WORKSPACE, _ce_provision_build_tmp_dir: $BUILD_TMP_DIR, _ce_provision_data_dir: $ANSIBLE_DATA_DIR, _ce_provision_build_id: $BUILD_ID, _ce_provision_force_play: $FORCE_PLAY, target_branch: $TARGET_PROVISION_BRANCH}" + else + ANSIBLE_DEFAULT_EXTRA_VARS="{_ce_provision_base_dir: $OWN_DIR, _ce_provision_build_dir: $BUILD_WORKSPACE, _ce_provision_build_tmp_dir: $BUILD_TMP_DIR, _ce_provision_data_dir: $ANSIBLE_DATA_DIR, _ce_provision_build_id: $BUILD_ID, _ce_provision_force_play: $FORCE_PLAY, target_branch: $TARGET_PROVISION_BRANCH}" + fi } # Clone our target repo. diff --git a/scripts/provision.sh b/scripts/provision.sh index 92d2e0265..fda465e05 100755 --- a/scripts/provision.sh +++ b/scripts/provision.sh @@ -14,6 +14,7 @@ usage(){ echo 'Available options:' echo '--ansible-extra-vars: Variable to pass as --extra-vars arguments to ansible-playbook. Make sure to escape them properly.' echo '--ansible-path: Pass the path to the directory containing the Ansible binaries if you are not using the version of Ansible in PATH.' + echo '--python-interpreter: When using Python virtual environments Ansible may not correctly determine the Python interpreter, use this to set it manually.' echo '--workspace: Local existing clone of the repo/branch (if your deployment tool already has one). This will skip the cloning/fetching of the repo.' echo '--user: Linux user executing the script (defaults to controller).' echo '--absolute-playbook-path: Prevent prepending of the workspace path to the playbook path when Ansible is called.' From c4d6908768d1d86629fd34bb4296818354a1e76b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 12 Jan 2024 13:48:57 +0100 Subject: [PATCH 042/331] Ensuring cloud-init gets installed. --- roles/debian/ansible/tasks/main.yml | 12 ++++++++++++ roles/debian/ldap_server/tasks/main.yml | 7 ++----- roles/debian/mysql_client/tasks/main.yml | 7 ++----- roles/debian/nginx/tasks/main.yml | 7 ++----- roles/debian/python_boto/meta/main.yml | 3 --- roles/debian/python_boto/tasks/main.yml | 16 ++++++++++++++++ roles/debian/python_common/defaults/main.yml | 13 ++++++++----- roles/debian/python_common/tasks/main.yml | 1 + 8 files changed, 43 insertions(+), 23 deletions(-) delete mode 100644 roles/debian/python_boto/meta/main.yml diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 7ea4f100d..56d1d94f2 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -20,6 +20,18 @@ - name: Set up Python packages. ansible.builtin.include_role: name: debian/python_common + vars: + python_common: + cleanup: true + remove_packages: + - python-pip + - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + - python-botocore + - python-urllib3 + install_packages: + - python3-distutils + - python3-venv + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale - name: Ensure pip is at latest version. ansible.builtin.pip: diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index bf2c0d3d1..a802561b1 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -19,11 +19,8 @@ name: debian/python_common vars: python_common: - remove_packages: - - python-pip - - python3-yaml - - python-botocore - - python-urllib3 + cleanup: false + remove_packages: [] install_packages: - python3-pip diff --git a/roles/debian/mysql_client/tasks/main.yml b/roles/debian/mysql_client/tasks/main.yml index 2ecca067e..aa4057005 100644 --- a/roles/debian/mysql_client/tasks/main.yml +++ b/roles/debian/mysql_client/tasks/main.yml @@ -11,11 +11,8 @@ name: debian/python_common vars: python_common: - remove_packages: - - python-pip - - python3-yaml - - python-botocore - - python-urllib3 + cleanup: false + remove_packages: [] install_packages: - python3-pip diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 0388ed007..08c44b097 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -11,11 +11,8 @@ name: debian/python_common vars: python_common: - remove_packages: - - python-pip - - python3-yaml - - python-botocore - - python-urllib3 + cleanup: false + remove_packages: [] install_packages: - python3-pip diff --git a/roles/debian/python_boto/meta/main.yml b/roles/debian/python_boto/meta/main.yml deleted file mode 100644 index 551567003..000000000 --- a/roles/debian/python_boto/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/python_common diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index c89cc37e6..ecafdd63c 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -9,6 +9,22 @@ when: - python_boto.boto3_version | length > 0 +- name: Set up Python packages. + ansible.builtin.include_role: + name: debian/python_common + vars: + python_common: + cleanup: true + remove_packages: + - python-pip + - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + - python-botocore + - python-urllib3 + install_packages: + - python3-distutils + - python3-venv + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale + - name: Ensure boto3 is installed. ansible.builtin.pip: name: "{{ _boto3_install_package }}" diff --git a/roles/debian/python_common/defaults/main.yml b/roles/debian/python_common/defaults/main.yml index 59c3c7e72..1d8d7bf42 100644 --- a/roles/debian/python_common/defaults/main.yml +++ b/roles/debian/python_common/defaults/main.yml @@ -1,10 +1,13 @@ --- python_common: - remove_packages: - - python-pip - - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian - - python-botocore - - python-urllib3 + cleanup: false # set to true to remove unwanted packages + remove_packages: [] # list of packages to remove if cleanup: true + # Example from ansible role + #- python-pip + #- python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + #- python-botocore + #- python-urllib3 + # Commonly required Python system packages install_packages: - python3-distutils - python3-venv diff --git a/roles/debian/python_common/tasks/main.yml b/roles/debian/python_common/tasks/main.yml index 178a0ae82..74c1ba7a3 100644 --- a/roles/debian/python_common/tasks/main.yml +++ b/roles/debian/python_common/tasks/main.yml @@ -3,6 +3,7 @@ ansible.builtin.apt: pkg: "{{ python_common.remove_packages }}" state: absent + when: python_common.cleanup - name: Ensure commonly required Python packages are installed. ansible.builtin.apt: From a4e842517e5c15bc542e7e626a07a9693b908610 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 16 Jan 2024 14:21:12 +0100 Subject: [PATCH 043/331] Bug fixes 2.x pr 2.x (#1371) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. --- roles/_meta/common_base/meta/main.yml | 57 ++++++++++++++++++++++---- roles/_meta/webserver/meta/main.yml | 1 - roles/debian/pam_linotp/tasks/main.yml | 6 +-- 3 files changed, 52 insertions(+), 12 deletions(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 95fcebc29..140fcf1bb 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -1,14 +1,55 @@ --- dependencies: - - { role: debian/apt_extra_packages, apt_extra_packages: ["rsync", "python3-apt", "acl", "gnupg", "build-essential", "cron", "bsd-mailx", "vim", "unzip", "ca-certificates"] } - - { role: debian/apt_extra_packages, apt_extra_packages: ["dnsutils", "telnet", "atop", "sysstat"], when: ( is_local is not defined or not is_local ) } + - role: debian/apt_extra_packages + apt_extra_packages: + - rsync + - python3-apt + - acl + - gnupg + - build-essential + - cron + - bsd-mailx + - vim + - unzip + - ca-certificates + - role: debian/apt_extra_packages + apt_extra_packages: + - dnsutils + - telnet + - atop + - sysstat + - tcpdump + - mtr-tiny + - htop + - ntp + - screen + - iptraf-ng + when: is_local is not defined or not is_local - role: debian/locales - role: debian/user_root + - role: debian/user_provision - role: debian/apt_extra_packages - - { role: debian/apt_unattended_upgrades, when: ( is_local is not defined or not is_local ) } - - { role: debian/hosts, when: ( is_local is not defined or not is_local ) } - - { role: debian/rkhunter, when: ( is_local is not defined or not is_local ) } + - role: debian/apt_unattended_upgrades + when: is_local is not defined or not is_local + - role: debian/hosts + when: is_local is not defined or not is_local + - role: debian/rkhunter + when: is_local is not defined or not is_local - role: debian/postfix - - { role: debian/clamav, when: ( is_local is not defined or not is_local ) } - - { role: debian/firewall_config, when: ( is_local is not defined or not is_local ) } - - { role: debian/sudo_config, when: ( is_local is not defined or not is_local ) } + - role: debian/clamav + when: is_local is not defined or not is_local + - role: debian/firewall_config + when: is_local is not defined or not is_local + - role: debian/sudo_config + when: is_local is not defined or not is_local + - role: debian/ansible + ce_ansible: + venv_path: "/home/{{ ce_provision.username }}/ansible" + venv_command: "/usr/bin/python3.11 -m venv" + install_username: "{{ ce_provision.username }}" + upgrade: + enabled: true + command: "/home/{{ ce_provision.username }}/ansible/bin/python3 -m pip install --upgrade ansible" + on_calendar: "*-*-* 01:30:00" + linters: + enabled: false diff --git a/roles/_meta/webserver/meta/main.yml b/roles/_meta/webserver/meta/main.yml index a66530c03..00249c536 100644 --- a/roles/_meta/webserver/meta/main.yml +++ b/roles/_meta/webserver/meta/main.yml @@ -2,7 +2,6 @@ dependencies: - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - - role: debian/user_provision - role: debian/user_deploy - role: debian/mysql_client - role: debian/nodejs diff --git a/roles/debian/pam_linotp/tasks/main.yml b/roles/debian/pam_linotp/tasks/main.yml index d4736a2e6..d7fe822a2 100644 --- a/roles/debian/pam_linotp/tasks/main.yml +++ b/roles/debian/pam_linotp/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Add key for LinOTP repository. ansible.builtin.apt_key: - keyserver: http://packages.codeenigma.com/debian/codeenigma.pub - id: A344A0826FD987C6 + keyserver: https://packages.codeenigma.net/debian/codeenigma.pub + id: 77AFCA1C45124FBB2EFCD7267DC594C08E0497D4 state: present - name: Add repository for LinOTP. ansible.builtin.apt_repository: - repo: "deb http://packages.codeenigma.com/debian buster main" + repo: "deb https://packages.codeenigma.net/debian {{ ansible_distribution_release }} main" state: present - name: Ensure libpam-linotp is installed. From c6c7123b60b0828a33c72e1beb42ba6b94906eaa Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 17 Jan 2024 12:43:34 +0100 Subject: [PATCH 044/331] Increasing-swap-rewriting-readme (#1377) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming tem… * Bug fixes 2.x pr devel 2.x (#1370) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1372) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Increasing-swap-rewriting-readme * Increasing swap rewriting readme (#1376) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp a… * Fixing-readme-value --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> --- roles/debian/swap/README.md | 4 +++- roles/debian/swap/defaults/main.yml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/debian/swap/README.md b/roles/debian/swap/README.md index 8bfeaa59c..ea66bc066 100644 --- a/roles/debian/swap/README.md +++ b/roles/debian/swap/README.md @@ -1,6 +1,8 @@ # General swap role to add swap space By default, role is set to add 2G of swap space. +As a general rule of thumb, swap should be set to 2.5x of current RAM. +If server has 2G RAM, set RAM to 5G by creating swap.yml inside vars at local directory. @@ -11,7 +13,7 @@ By default, role is set to add 2G of swap space. --- swap: count: 2048 - size: "2G" + size: "4G" swap_space: swapfile ``` diff --git a/roles/debian/swap/defaults/main.yml b/roles/debian/swap/defaults/main.yml index 61873e331..1c1faf56a 100644 --- a/roles/debian/swap/defaults/main.yml +++ b/roles/debian/swap/defaults/main.yml @@ -1,5 +1,5 @@ --- swap: count: 2048 - size: "2G" + size: "4G" swap_space: swapfile From aad4b5500d15b706416928f72d993b4ba7d485a9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 17 Jan 2024 19:12:09 +0100 Subject: [PATCH 045/331] Bug fixes 2.x pr 2.x (#1380) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. --- docs/_Sidebar.md | 2 +- docs/roles/debian/python_common.md | 14 ++++++++------ docs/roles/debian/swap.md | 7 +++---- roles/_meta/common_base/meta/main.yml | 2 +- roles/debian/python_common/README.md | 14 ++++++++------ roles/debian/swap/README.md | 7 ++----- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index aa59208c8..5a5213a0b 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -76,7 +76,7 @@ - [SSHD](/roles/debian/ssh_server) - [SSL](/roles/debian/ssl) - [sudo config](/roles/debian/sudo_config) - - [General swap role to add swap space](/roles/debian/swap) + - [Swap](/roles/debian/swap) - [varnish-config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) - [Init role](/roles/_init) diff --git a/docs/roles/debian/python_common.md b/docs/roles/debian/python_common.md index 2c9f384f9..94573f816 100644 --- a/docs/roles/debian/python_common.md +++ b/docs/roles/debian/python_common.md @@ -9,15 +9,17 @@ Packages required by all Python scripts and applications. ```yaml --- python_common: - remove_packages: - - python-pip - - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian - - python-botocore - - python-urllib3 + cleanup: false # set to true to remove unwanted packages + remove_packages: [] # list of packages to remove if cleanup: true + # Example from ansible role + #- python-pip + #- python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + #- python-botocore + #- python-urllib3 + # Commonly required Python system packages install_packages: - python3-distutils - python3-venv - - python3-pip - cloud-init # package can get removed with python3-yaml but we need it for auto-scale ``` diff --git a/docs/roles/debian/swap.md b/docs/roles/debian/swap.md index 8bfeaa59c..ef6f5f208 100644 --- a/docs/roles/debian/swap.md +++ b/docs/roles/debian/swap.md @@ -1,6 +1,5 @@ -# General swap role to add swap space - -By default, role is set to add 2G of swap space. +# Swap +General role to add swap space to servers. By default, role is set to add 4G of swap space. As a general rule of thumb, swap should be set to 2.5 times the amount of RAM. So if a server has 2G RAM, we should set swap to 5G by setting `size: "5G"` in the variables for that server. @@ -11,7 +10,7 @@ By default, role is set to add 2G of swap space. --- swap: count: 2048 - size: "2G" + size: "4G" swap_space: swapfile ``` diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 140fcf1bb..9e3635fa6 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -45,7 +45,7 @@ dependencies: - role: debian/ansible ce_ansible: venv_path: "/home/{{ ce_provision.username }}/ansible" - venv_command: "/usr/bin/python3.11 -m venv" + venv_command: "/usr/bin/python3 -m venv" install_username: "{{ ce_provision.username }}" upgrade: enabled: true diff --git a/roles/debian/python_common/README.md b/roles/debian/python_common/README.md index 2c9f384f9..94573f816 100644 --- a/roles/debian/python_common/README.md +++ b/roles/debian/python_common/README.md @@ -9,15 +9,17 @@ Packages required by all Python scripts and applications. ```yaml --- python_common: - remove_packages: - - python-pip - - python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian - - python-botocore - - python-urllib3 + cleanup: false # set to true to remove unwanted packages + remove_packages: [] # list of packages to remove if cleanup: true + # Example from ansible role + #- python-pip + #- python3-yaml # linters need a newer version of PyYAML than the one that ships with Debian + #- python-botocore + #- python-urllib3 + # Commonly required Python system packages install_packages: - python3-distutils - python3-venv - - python3-pip - cloud-init # package can get removed with python3-yaml but we need it for auto-scale ``` diff --git a/roles/debian/swap/README.md b/roles/debian/swap/README.md index ea66bc066..ef6f5f208 100644 --- a/roles/debian/swap/README.md +++ b/roles/debian/swap/README.md @@ -1,8 +1,5 @@ -# General swap role to add swap space - -By default, role is set to add 2G of swap space. -As a general rule of thumb, swap should be set to 2.5x of current RAM. -If server has 2G RAM, set RAM to 5G by creating swap.yml inside vars at local directory. +# Swap +General role to add swap space to servers. By default, role is set to add 4G of swap space. As a general rule of thumb, swap should be set to 2.5 times the amount of RAM. So if a server has 2G RAM, we should set swap to 5G by setting `size: "5G"` in the variables for that server. From 97f42685b3e42c925957822991e0004b999ae4e2 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 18 Jan 2024 15:37:23 +0100 Subject: [PATCH 046/331] Bug fixes 2.x pr 2.x (#1383) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. From a37d7b15c3dd9bae723c3ee0e2af9428cb676782 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 19 Jan 2024 11:37:58 +0100 Subject: [PATCH 047/331] Bug fixes 2.x pr 2.x (#1385) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. --- docs/roles/debian/ansible.md | 1 + docs/roles/debian/ce_deploy.md | 1 + docs/roles/debian/ce_provision.md | 1 + docs/roles/debian/ldap_server.md | 1 + roles/_meta/common_base/meta/main.yml | 1 + roles/debian/ansible/README.md | 1 + roles/debian/ansible/defaults/main.yml | 1 + roles/debian/ansible/tasks/main.yml | 13 +++++++++---- roles/debian/ce_deploy/README.md | 1 + roles/debian/ce_deploy/defaults/main.yml | 1 + roles/debian/ce_deploy/tasks/main.yml | 1 + roles/debian/ce_provision/README.md | 1 + roles/debian/ce_provision/defaults/main.yml | 1 + roles/debian/ce_provision/tasks/main.yml | 1 + roles/debian/ldap_server/README.md | 1 + roles/debian/ldap_server/defaults/main.yml | 1 + 16 files changed, 24 insertions(+), 4 deletions(-) diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index b7dfe0dbc..f50de4929 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -19,6 +19,7 @@ ce_ansible: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #timer_name: upgrade_ansible linters: enabled: true # will not install linters if false, installing linters breaks cloud-init diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index d020663ab..f9e55b15f 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -15,6 +15,7 @@ ce_deploy: venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_deploy.username }}" + upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index e8f83ea13..dba324120 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -16,6 +16,7 @@ ce_provision: venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_provision.username }}" + upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/docs/roles/debian/ldap_server.md b/docs/roles/debian/ldap_server.md index 7fb78adfb..6514e4779 100644 --- a/docs/roles/debian/ldap_server.md +++ b/docs/roles/debian/ldap_server.md @@ -107,6 +107,7 @@ ldap_server: # reload_command: restart # reload: # - slapd + # on_calendar: "Mon *-*-* 04:00:00" replication: host: "" # host must be present in config/hosts for ce-provision, leave empty if no replication is desired port: "636" diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 9e3635fa6..7a79993e8 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -51,5 +51,6 @@ dependencies: enabled: true command: "/home/{{ ce_provision.username }}/ansible/bin/python3 -m pip install --upgrade ansible" on_calendar: "*-*-* 01:30:00" + timer_name: upgrade_ansible linters: enabled: false diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index b7dfe0dbc..f50de4929 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -19,6 +19,7 @@ ce_ansible: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #timer_name: upgrade_ansible linters: enabled: true # will not install linters if false, installing linters breaks cloud-init diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml index f58a026b0..949bb48b7 100644 --- a/roles/debian/ansible/defaults/main.yml +++ b/roles/debian/ansible/defaults/main.yml @@ -8,5 +8,6 @@ ce_ansible: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + #timer_name: upgrade_ansible linters: enabled: true # will not install linters if false, installing linters breaks cloud-init diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 56d1d94f2..a34b6d0fe 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -68,12 +68,17 @@ content: "export PATH=$PATH:{{ ce_ansible.venv_path | default(_venv_path) }}/bin" dest: "/etc/profile.d/ansible-path.sh" +- name: Build systemd timer variables string. + ansible.builtin.set_fact: + _timer: "{'{{ ce_ansible.upgrade.timer_name | default(_ce_ansible_timer_name) }}': { timer_command: '{{ ce_ansible.upgrade.command }}', timer_OnCalendar: '{{ ce_ansible.upgrade.on_calendar }}' }}" + +- name: Turn the timer string into a dictionary. + ansible.builtin.set_fact: + _timer: "{{ _timer.splitlines()|map('from_yaml')|list }}" + - name: Create systemd timer to upgrade Ansible. ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: - upgrade_ansible: - timer_command: "{{ ce_ansible.upgrade.command }}" - timer_OnCalendar: "{{ ce_ansible.upgrade.on_calendar }}" + timers: "{{ _timer }}" when: ce_ansible.upgrade.enabled diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index d020663ab..f9e55b15f 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -15,6 +15,7 @@ ce_deploy: venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_deploy.username }}" + upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 52bd86415..1dc9ba5b3 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -7,6 +7,7 @@ ce_deploy: venv_path: "/home/{{ _ce_deploy.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_deploy.username }}" + upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index a9d607723..ae5395780 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -133,6 +133,7 @@ _venv_path: "{{ ce_deploy.venv_path }}" _venv_command: "{{ ce_deploy.venv_command }}" _install_username: "{{ ce_deploy.install_username }}" + _ce_ansible_timer_name: "{{ ce_deploy.upgrade_timer_name }}" - name: Install Ansible. ansible.builtin.include_role: diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index e8f83ea13..dba324120 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -16,6 +16,7 @@ ce_provision: venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_provision.username }}" + upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 4c266e3e0..8f8d508cf 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -8,6 +8,7 @@ ce_provision: venv_path: "/home/{{ _ce_provision.username }}/ansible" venv_command: /usr/bin/python3 -m venv install_username: "{{ _ce_provision.username }}" + upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. username: "{{ _ce_provision.username }}" new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index ca59d5928..0f4edeab1 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -141,6 +141,7 @@ _venv_path: "{{ ce_provision.venv_path }}" _venv_command: "{{ ce_provision.venv_command }}" _install_username: "{{ ce_provision.install_username }}" + _ce_ansible_timer_name: "{{ ce_provision.upgrade_timer_name }}" - name: Install Ansible. ansible.builtin.include_role: diff --git a/roles/debian/ldap_server/README.md b/roles/debian/ldap_server/README.md index 7fb78adfb..6514e4779 100644 --- a/roles/debian/ldap_server/README.md +++ b/roles/debian/ldap_server/README.md @@ -107,6 +107,7 @@ ldap_server: # reload_command: restart # reload: # - slapd + # on_calendar: "Mon *-*-* 04:00:00" replication: host: "" # host must be present in config/hosts for ce-provision, leave empty if no replication is desired port: "636" diff --git a/roles/debian/ldap_server/defaults/main.yml b/roles/debian/ldap_server/defaults/main.yml index 981d6b995..8178688a0 100644 --- a/roles/debian/ldap_server/defaults/main.yml +++ b/roles/debian/ldap_server/defaults/main.yml @@ -41,6 +41,7 @@ ldap_server: # reload_command: restart # reload: # - slapd + # on_calendar: "Mon *-*-* 04:00:00" replication: host: "" # host must be present in config/hosts for ce-provision, leave empty if no replication is desired port: "636" From 5521c098ea40c5c5ded3c8ec8f2396b1207d38a5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 22 Jan 2024 12:39:17 +0100 Subject: [PATCH 048/331] Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. --- docs/roles/debian/clamav.md | 3 ++- roles/debian/clamav/README.md | 3 ++- roles/debian/clamav/defaults/main.yml | 3 ++- roles/debian/clamav/templates/clamscan.j2 | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 81a888707..8ce643b7e 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -15,7 +15,8 @@ clamav: server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script - log_location: /usr/local/clamav/log + log_location: /var/log/clamav + log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 81a888707..8ce643b7e 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -15,7 +15,8 @@ clamav: server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script - log_location: /usr/local/clamav/log + log_location: /var/log/clamav + log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com diff --git a/roles/debian/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml index 651cafde3..6185d71fa 100644 --- a/roles/debian/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -4,7 +4,8 @@ clamav: server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events scripts_location: /usr/local/clamav/script - log_location: /usr/local/clamav/log + log_location: /var/log/clamav + log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com diff --git a/roles/debian/clamav/templates/clamscan.j2 b/roles/debian/clamav/templates/clamscan.j2 index 0142a1b8b..c2b54e2cb 100644 --- a/roles/debian/clamav/templates/clamscan.j2 +++ b/roles/debian/clamav/templates/clamscan.j2 @@ -1,7 +1,7 @@ #!/bin/bash SUBJECT="{{ clamav.server_name }} PASSED SCAN" EMAIL="{{ clamav.report_recipient_email }}" -LOG={{ clamav.log_location }}/clamav.log +LOG={{ clamav.log_location }}/{{ clamav.log_name }} TMP_LOG=/tmp/clam.daily rm -rf ${TMP_LOG} From c76618dadd65d60a98a57926d49a1254acba3306 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Jan 2024 09:15:11 +0100 Subject: [PATCH 049/331] Ansible install perms pr 2.x (#1398) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming tem… * Bug fixes 2.x pr devel 2.x (#1370) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1372) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Increasing swap rewriting readme (#1376) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp a… * Increasing swap rewriting readme (#1378) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp a… * Bug fixes 2.x pr devel 2.x (#1379) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1382) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1384) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1386) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1387) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Bug fixes 2.x pr devel 2.x (#1388) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Fixing swap vars 2x (#1391) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. … * Bug fixes 2.x pr devel 2.x (#1396) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account… * Allowing Packer to install Ansible. * Improving swap role docs. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> --- docs/roles/debian/swap.md | 4 +++- roles/debian/ansible/tasks/main.yml | 12 ++++++------ roles/debian/ce_provision/tasks/main.yml | 8 ++++++-- roles/debian/python_boto/tasks/main.yml | 8 ++++++-- roles/debian/swap/README.md | 4 +++- roles/debian/swap/defaults/main.yml | 2 +- 6 files changed, 25 insertions(+), 13 deletions(-) diff --git a/docs/roles/debian/swap.md b/docs/roles/debian/swap.md index ef6f5f208..03794a99c 100644 --- a/docs/roles/debian/swap.md +++ b/docs/roles/debian/swap.md @@ -1,6 +1,8 @@ # Swap General role to add swap space to servers. By default, role is set to add 4G of swap space. As a general rule of thumb, swap should be set to 2.5 times the amount of RAM. So if a server has 2G RAM, we should set swap to 5G by setting `size: "5G"` in the variables for that server. +Be sure to match the `count` variable to the `size` variable, the `count` variable will dictate the amount of swap. + @@ -9,7 +11,7 @@ General role to add swap space to servers. By default, role is set to add 4G of ```yaml --- swap: - count: 2048 + count: 4096 size: "4G" swap_space: swapfile diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index a34b6d0fe..b845f2567 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -40,8 +40,6 @@ state: latest virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - become: true - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Install Ansible. ansible.builtin.pip: @@ -49,8 +47,6 @@ - ansible virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - become: true - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Install linters. ansible.builtin.pip: @@ -60,8 +56,12 @@ virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" when: ce_ansible.linters.enabled - become: true - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" + +- name: Ensure Ansible venv permissions. + ansible.builtin.file: + path: "{{ ce_ansible.venv_path | default(_venv_path) }}" + owner: "{{ ce_ansible.install_username | default(_install_username) }}" + group: "{{ ce_ansible.install_username | default(_install_username) }}" - name: Add the venv to $PATH using profile.d. ansible.builtin.copy: diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 0f4edeab1..1ee53dcc7 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -159,8 +159,12 @@ - pyopenssl virtualenv: "{{ _venv_path }}" virtualenv_command: "{{ _venv_command }}" - become: true - become_user: "{{ ce_provision.username }}" + +- name: Ensure Ansible venv permissions. + ansible.builtin.file: + path: "{{ _venv_path }}" + owner: "{{ ce_provision.username }}" + group: "{{ ce_provision.username }}" - name: Add Python virtual environment to $PATH. ansible.builtin.copy: diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index ecafdd63c..3195336e8 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -30,5 +30,9 @@ name: "{{ _boto3_install_package }}" virtualenv: "{{ python_boto.venv_path | default(_venv_path) }}" virtualenv_command: "{{ python_boto.venv_command | default(_venv_command) }}" - become: true - become_user: "{{ python_boto.install_username | default(_install_username) }}" + +- name: Ensure Ansible venv permissions. + ansible.builtin.file: + path: "{{ python_boto.venv_path | default(_venv_path) }}" + owner: "{{ python_boto.install_username | default(_install_username) }}" + group: "{{ python_boto.install_username | default(_install_username) }}" diff --git a/roles/debian/swap/README.md b/roles/debian/swap/README.md index ef6f5f208..03794a99c 100644 --- a/roles/debian/swap/README.md +++ b/roles/debian/swap/README.md @@ -1,6 +1,8 @@ # Swap General role to add swap space to servers. By default, role is set to add 4G of swap space. As a general rule of thumb, swap should be set to 2.5 times the amount of RAM. So if a server has 2G RAM, we should set swap to 5G by setting `size: "5G"` in the variables for that server. +Be sure to match the `count` variable to the `size` variable, the `count` variable will dictate the amount of swap. + @@ -9,7 +11,7 @@ General role to add swap space to servers. By default, role is set to add 4G of ```yaml --- swap: - count: 2048 + count: 4096 size: "4G" swap_space: swapfile diff --git a/roles/debian/swap/defaults/main.yml b/roles/debian/swap/defaults/main.yml index 1c1faf56a..6cfcc06a6 100644 --- a/roles/debian/swap/defaults/main.yml +++ b/roles/debian/swap/defaults/main.yml @@ -1,5 +1,5 @@ --- swap: - count: 2048 + count: 4096 size: "4G" swap_space: swapfile From 415956f49132498a56914db97d29f4895acbce6a Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Jan 2024 13:38:31 +0100 Subject: [PATCH 050/331] Bug fixes 2.x pr 2.x (#1400) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. --- roles/debian/ansible/tasks/main.yml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index b845f2567..f14197d28 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -68,17 +68,19 @@ content: "export PATH=$PATH:{{ ce_ansible.venv_path | default(_venv_path) }}/bin" dest: "/etc/profile.d/ansible-path.sh" -- name: Build systemd timer variables string. - ansible.builtin.set_fact: - _timer: "{'{{ ce_ansible.upgrade.timer_name | default(_ce_ansible_timer_name) }}': { timer_command: '{{ ce_ansible.upgrade.command }}', timer_OnCalendar: '{{ ce_ansible.upgrade.on_calendar }}' }}" +- name: Install systemd timer. + when: ce_ansible.upgrade.enabled + block: + - name: Build systemd timer variables string. + ansible.builtin.set_fact: + _timer: "{'{{ ce_ansible.upgrade.timer_name | default(_ce_ansible_timer_name) }}': { timer_command: '{{ ce_ansible.upgrade.command }}', timer_OnCalendar: '{{ ce_ansible.upgrade.on_calendar }}' }}" -- name: Turn the timer string into a dictionary. - ansible.builtin.set_fact: - _timer: "{{ _timer.splitlines()|map('from_yaml')|list }}" + - name: Turn the timer string into a dictionary. + ansible.builtin.set_fact: + _timer: "{{ _timer.splitlines()|map('from_yaml')|list }}" -- name: Create systemd timer to upgrade Ansible. - ansible.builtin.include_role: - name: contrib/systemd_timers - vars: - timers: "{{ _timer }}" - when: ce_ansible.upgrade.enabled + - name: Create systemd timer to upgrade Ansible. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: "{{ _timer }}" From 95410ecbad8620598dfa59ff3c4c5d3d2fef713c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:37:21 +0100 Subject: [PATCH 051/331] updating-aws-cloudfront-distribution-to-enable-logging-2.x-branch (#1404) Co-authored-by: Matej Stajduhar --- roles/aws/aws_cloudfront_distribution/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index b142296a0..30716ba58 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -14,6 +14,7 @@ purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}" purge_aliases: "{{ aws_cloudfront_distribution.purge_existing }}" purge_tags: "{{ aws_cloudfront_distribution.purge_existing }}" + logging: "{{ aws_cloudfront_distribution.logging }}" purge_cache_behaviors: "{{ aws_cloudfront_distribution.purge_existing }}" enabled: "{{ aws_cloudfront_distribution.enabled }}" register: _aws_cloudfront_distribution \ No newline at end of file From f76e8de6767a8ffa2691456476420804ba2fbfc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 31 Jan 2024 08:30:35 +0100 Subject: [PATCH 052/331] Adding default value if logging not defined 2.x (#1407) * adding-default-value-if-logging-not-defined-2.x * adding-example-for-logging --------- Co-authored-by: Matej Stajduhar --- .../defaults/main.yml | 30 +++++++++++++++++++ .../tasks/main.yml | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_cloudfront_distribution/defaults/main.yml b/roles/aws/aws_cloudfront_distribution/defaults/main.yml index 6a015b54b..93ee7c91d 100644 --- a/roles/aws/aws_cloudfront_distribution/defaults/main.yml +++ b/roles/aws/aws_cloudfront_distribution/defaults/main.yml @@ -1,4 +1,29 @@ --- +# Uncomment cf_acl to create firewall rules for Cloudfront distro +#cf_acl: +# rate_limit: 600 +# scope: "CLOUDFRONT" # Can be "REGIONAL" +# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped +# +# ip_allow +# name: "Allowed-ips" +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 3.3.3.3/32 +# +# ip_block: +# name: "Blocked-ips" +# list: +# - 4.4.4.4/32 +# - 5.5.5.5/32 +# - 6.6.6.6/32 +# +# cc_block_list: +# - BY # Belarus +# - CN # China +# - IR # Iran +# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -61,3 +86,8 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. +# logging: +# bucket: "" # URL of S3 bucket to store logs +# enabled: false # Set true to allow logging +# include_cookies: false # Set true to add cookies in logs +# prefix: "" # Prefix for S3 object names \ No newline at end of file diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 30716ba58..4e416f5a8 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -14,7 +14,7 @@ purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}" purge_aliases: "{{ aws_cloudfront_distribution.purge_existing }}" purge_tags: "{{ aws_cloudfront_distribution.purge_existing }}" - logging: "{{ aws_cloudfront_distribution.logging }}" + logging: "{{ aws_cloudfront_distribution.logging | default('') }}" purge_cache_behaviors: "{{ aws_cloudfront_distribution.purge_existing }}" enabled: "{{ aws_cloudfront_distribution.enabled }}" register: _aws_cloudfront_distribution \ No newline at end of file From d9c72c570848328bdc63681d6f79a637f5b3df97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 31 Jan 2024 13:14:15 +0100 Subject: [PATCH 053/331] Cleaner-pipeline-output-2.x (#1412) Co-authored-by: Matej Stajduhar --- roles/debian/ce_deploy/ansible.cfg | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/debian/ce_deploy/ansible.cfg b/roles/debian/ce_deploy/ansible.cfg index 8d9257915..d1191e163 100644 --- a/roles/debian/ce_deploy/ansible.cfg +++ b/roles/debian/ce_deploy/ansible.cfg @@ -72,7 +72,8 @@ roles_path = roles host_key_checking = False # change the default callback, you can only have one 'stdout' type enabled at a time. -#stdout_callback = skippy +stdout_callback = yaml +stderr_callback = yaml ## Ansible ships with some plugins that require whitelisting, @@ -419,8 +420,8 @@ pipelining = True # only be disabled if your sftp version has problems with batch mode #sftp_batch_mode = False -# The -tt argument is passed to ssh when pipelining is not enabled because sudo -# requires a tty by default. +# The -tt argument is passed to ssh when pipelining is not enabled because sudo +# requires a tty by default. #use_tty = True # Number of times to retry an SSH connection to a host, in case of UNREACHABLE. From 1497adc0bb7cd59d09210bcebb65f84beedaa4b1 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 1 Feb 2024 14:39:38 +0100 Subject: [PATCH 054/331] Updating-extra-packages-2x (#1414) --- .../debian/apt_extra_packages/tasks/main.yml | 33 +++++++++++++++++-- .../apt_extra_packages/tasks/wget_install.yml | 23 +++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 roles/debian/apt_extra_packages/tasks/wget_install.yml diff --git a/roles/debian/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml index af97e7ea1..2cdaf6f83 100644 --- a/roles/debian/apt_extra_packages/tasks/main.yml +++ b/roles/debian/apt_extra_packages/tasks/main.yml @@ -1,7 +1,34 @@ --- -- name: Install additional extra packages. +- name: Define empty wget list + ansible.builtin.set_fact: + wget_list: [] + +- name: Define empty apt list + ansible.builtin.set_fact: + apt_list: [] + +- name: Add URLs to wget list + ansible.builtin.set_fact: + wget_list: "{{ wget_list + [item] }}" + loop: "{{ apt_extra_packages }}" + when: "item is regex('^https?://')" + +- name: Add URLs to apt list + ansible.builtin.set_fact: + apt_list: "{{ apt_list + [item] }}" + when: "item is not regex('^https?://')" + loop: "{{ apt_extra_packages }}" + +- name: Install additional apt extra packages. ansible.builtin.apt: - pkg: "{{ apt_extra_packages | list }}" + pkg: "{{ apt_list | list }}" state: present update_cache: true - when: apt_extra_packages | length + when: apt_list | length > 0 + +- name: Install additional wget extra packages. + ansible.builtin.include_tasks: "wget_install.yml" + when: wget_list | length > 0 + loop: "{{ wget_list }}" + loop_control: + loop_var: wget_item \ No newline at end of file diff --git a/roles/debian/apt_extra_packages/tasks/wget_install.yml b/roles/debian/apt_extra_packages/tasks/wget_install.yml new file mode 100644 index 000000000..0c1d31c64 --- /dev/null +++ b/roles/debian/apt_extra_packages/tasks/wget_install.yml @@ -0,0 +1,23 @@ +--- +- name: Check if download folder exists + ansible.builtin.file: + path: /home/{{ user_deploy.username }}/apt_exta + state: directory + mode: '0755' + owner: "{{ user_deploy.username }}" + group: "{{ user_deploy.username }}" + +- name: Get package name + ansible.builtin.set_fact: + package_name: "{{ wget_item.split('/')[-1] }}" + +- name: Download package + ansible.builtin.get_url: + url: "{{ wget_item }}" + dest: "/home/{{ user_deploy.username }}/apt_exta/{{ package_name }}" + owner: "{{ user_deploy.username }}" + group: "{{ user_deploy.username }}" + +- name: Instal package + ansible.builtin.apt: + deb: /home/{{ user_deploy.username }}/apt_exta/{{ package_name }} \ No newline at end of file From 13398507b600b0f52a1829499dd5f172cf43d55d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 1 Feb 2024 16:12:52 +0100 Subject: [PATCH 055/331] updating-cloudfront-role-2.x (#1418) Co-authored-by: Matej Stajduhar --- .../defaults/main.yml | 3 +- .../tasks/create_acl.yml | 115 ++++++++++++++++++ .../tasks/main.yml | 7 +- 3 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml diff --git a/roles/aws/aws_cloudfront_distribution/defaults/main.yml b/roles/aws/aws_cloudfront_distribution/defaults/main.yml index 93ee7c91d..127152b41 100644 --- a/roles/aws/aws_cloudfront_distribution/defaults/main.yml +++ b/roles/aws/aws_cloudfront_distribution/defaults/main.yml @@ -1,7 +1,8 @@ --- # Uncomment cf_acl to create firewall rules for Cloudfront distro +#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) #cf_acl: -# rate_limit: 600 +# acl_name: "dummy_master_acl" # scope: "CLOUDFRONT" # Can be "REGIONAL" # region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped # diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml new file mode 100644 index 000000000..7b4ec634d --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml @@ -0,0 +1,115 @@ +- name: Define dict for rules + ansible.builtin.set_fact: + acl_rules: [] + +- name: Set IP allow rule + block: + - name: Create IP allow set for WAF + community.aws.wafv2_ip_set: + name: "{{ cf_acl.ip_allow.name }}" + state: present + description: Set of allowed IPs + scope: "{{ cf_acl.scope }}" + region: "{{ cf_acl.region }}" + ip_address_version: IPV4 + addresses: "{{ cf_acl.ip_allow.list }}" + register: ip_set_info + + - name: Create IP allow rule + ansible.builtin.set_fact: + ip_allow_rule: + - name: allow_ips + priority: 0 + action: + allow: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: Allow_IPs + statement: + ip_set_reference_statement: + arn: "{{ ip_set_info.arn }}" + + - name: Add rule to list + ansible.builtin.set_fact: + acl_rules: "{{ acl_rules + ip_allow_rule }}" + when: cf_acl.ip_allow is defined + +- name: Set IP block rule + block: + - name: Create IP block set for WAF + community.aws.wafv2_ip_set: + name: "{{ cf_acl.ip_block.name }}" + state: present + description: Set of blocked IPs + scope: "{{ cf_acl.scope }}" + region: "{{ cf_acl.region }}" + ip_address_version: IPV4 + addresses: "{{ cf_acl.ip_block.list }}" + register: ip_set_info + + - name: Create IP block rule + ansible.builtin.set_fact: + ip_block_rule: + - name: block_countries + priority: 1 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: block_countries + statement: + geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated + country_codes: "{{ cf_acl.cc_block_list }}" + + - name: Add rule to list + ansible.builtin.set_fact: + acl_rules: "{{ acl_rules + ip_block_rule}}" + when: cf_acl.ip_block is defined + +# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) +- name: Set rate limit variable + block: + - name: Define r_limit to avoid issues + ansible.builtin.set_fact: + r_limit: "{{ rate_limit | int }}" + + - name: Define rate rule + ansible.builtin.set_fact: + rate_rule: + - name: rate_limit + priority: 2 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: rate_limit + statement: + rate_based_statement: + limit: "{{ rate_limit }}" + aggregate_key_type: IP + + - name: Add rule to list + ansible.builtin.set_fact: + acl_rules: "{{ acl_rules + rate_rule}}" + when: rate_limit is defined + +- name: Create web acl + community.aws.wafv2_web_acl: + name: "{{ cf_acl.acl_name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + description: "WAF protecting the {{ _domain_name }}" + scope: "{{ cf_acl.scope }}" + region: "{{ cf_acl.region }}" + default_action: Allow # or "Block" + sampled_requests: false + cloudwatch_metrics: true # or "false" to disable metrics + metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) + rules: "{{ acl_rules }}" + purge_rules: true +# tags: +# A: B +# C: D + state: present + register: created_acl \ No newline at end of file diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 4e416f5a8..4e03c4069 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Create web acl if defined + ansible.builtin.include_tasks: create_acl.yml + when: cf_acl is defined + - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: profile: "{{ aws_cloudfront_distribution.aws_profile }}" @@ -7,6 +11,7 @@ state: "{{ aws_cloudfront_distribution.state }}" aliases: "{{ aws_cloudfront_distribution.aliases }}" origins: "{{ aws_cloudfront_distribution.origins }}" + web_acl_id: "{{ created_acl.arn | default(omit) }}" default_cache_behavior: "{{ aws_cloudfront_distribution.default_cache_behavior }}" cache_behaviors: "{{ aws_cloudfront_distribution.cache_behaviors }}" validate_certs: "{{ aws_cloudfront_distribution.validate_certs }}" @@ -14,7 +19,7 @@ purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}" purge_aliases: "{{ aws_cloudfront_distribution.purge_existing }}" purge_tags: "{{ aws_cloudfront_distribution.purge_existing }}" - logging: "{{ aws_cloudfront_distribution.logging | default('') }}" + logging: "{{ aws_cloudfront_distribution.logging | default(omit) }}" purge_cache_behaviors: "{{ aws_cloudfront_distribution.purge_existing }}" enabled: "{{ aws_cloudfront_distribution.enabled }}" register: _aws_cloudfront_distribution \ No newline at end of file From e88a1535f6e6e413268f438e6c94914650ba7fa5 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 6 Feb 2024 16:03:18 +0000 Subject: [PATCH 056/331] r68152-secure-symfony-app-for-prod 2.x (#1429) --- roles/debian/nginx/templates/symfony3_prod.j2 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/debian/nginx/templates/symfony3_prod.j2 diff --git a/roles/debian/nginx/templates/symfony3_prod.j2 b/roles/debian/nginx/templates/symfony3_prod.j2 new file mode 100644 index 000000000..acf6f1fec --- /dev/null +++ b/roles/debian/nginx/templates/symfony3_prod.j2 @@ -0,0 +1,21 @@ +location / { + try_files $uri /app_{{ symfony_env }}.php$is_args$args; +} + +# Prod only +location ~ ^/(app_dev|config)\.php(/|$) { + fastcgi_pass {{ nginx.php_fastcgi_backend }}; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; +} + +location ~ \.php(/|$) { + fastcgi_pass {{ nginx.php_fastcgi_backend }}; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; +} From 6b609f7c07f4e3604b065cef4839798cce47d347 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 6 Feb 2024 16:14:30 +0000 Subject: [PATCH 057/331] r68152-put-new-prod-symfony-template 2.x (#1433) --- roles/debian/nginx/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 08c44b097..23f8d1e4c 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -64,6 +64,7 @@ - proxy - simplesamlphp - symfony3 + - symfony3_prod - symfony4 - wordpress From 8080fbb57ba2b195bd6ec98541190ba4ff71dd41 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:40:51 +0100 Subject: [PATCH 058/331] Adding-wazuh-role-2x (#1441) --- roles/debian/wazuh/defaults/main.yml | 2 ++ roles/debian/wazuh/tasks/main.yml | 40 +++++++++++++++++++++------- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 32270581f..aa3a0b0c6 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -1,5 +1,7 @@ --- wazuh: + #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible + branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index aebe36f2e..2c3799c52 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,8 +1,25 @@ --- -# Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles. +# Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles +- name: Set the Wazuh version branch for the playbooks and roles. + ansible.builtin.git: + repo: https://github.com/wazuh/wazuh-ansible.git + dest: "{{ wazuh.roles_directory | default('/home/' + user_provision.username + '/.ansible/roles/wazuh-ansible') }}" + version: "{{ wazuh.branch }}" + become: true + become_user: "{{ user_provision.username }}" + delegate_to: localhost + +- name: Import elastic-stack. + ansible.builtin.import_role: + name: wazuh-ansible/roles/elastic-stack/ansible-kibana + +- name: Import opendistro. + ansible.builtin.import_role: + name: wazuh-ansible/roles/opendistro/opendistro-kibana + - name: Generate certificates. ansible.builtin.import_role: - name: contrib/wazuh/wazuh-indexer + name: wazuh-ansible/roles/wazuh/wazuh-indexer delegate_to: localhost vars: indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" @@ -13,7 +30,7 @@ - name: Install Wazuh indexer. ansible.builtin.import_role: - name: contrib/wazuh/wazuh-indexer + name: wazuh-ansible/roles/wazuh/wazuh-indexer vars: single_node: "{{ wazuh.indexer.single_node }}" domain_name: "{{ wazuh.indexer.domain_name }}" @@ -41,7 +58,7 @@ - name: Install Wazuh Manager. ansible.builtin.import_role: - name: contrib/wazuh/ansible-wazuh-manager + name: wazuh-ansible/roles/wazuh/ansible-wazuh-manager vars: wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" @@ -54,24 +71,25 @@ wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" wazuh_manager_api: "{{ wazuh.manager.wazuh_manager_api }}" + agent_groups: "{{ wazuh.manager.agent_groups }}" when: wazuh.manager.install - name: Install Filebeat. ansible.builtin.import_role: - name: contrib/wazuh/ansible-filebeat-oss + name: wazuh-ansible/roles/wazuh/ansible-filebeat-oss vars: filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" filebeat_output_indexer_hosts: "{{ wazuh.filebeat.filebeat_output_indexer_hosts }}" filebeat_module_package_url: "{{ wazuh.filebeat.filebeat_module_package_url }}" filebeat_module_package_name: "{{ wazuh.filebeat.filebeat_module_package_name }}" - indexer_security_user: "{{ wazuh.indexer.indexer_custom_user | default('admin') }}" + indexer_security_user: "{{ wazuh.filebeat.indexer_security_user | default('admin') }}" indexer_security_password: "{{ wazuh.indexer.indexer_admin_password }}" when: wazuh.filebeat.install - name: Install Wazuh dashboard. ansible.builtin.import_role: - name: contrib/wazuh/wazuh-dashboard + name: wazuh-ansible/roles/wazuh/wazuh-dashboard vars: dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" @@ -81,6 +99,7 @@ dashboard_security: "{{ wazuh.dashboard.dashboard_security }}" dashboard_user: "{{ wazuh.dashboard.dashboard_user }}" dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" + indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" ansible_shell_allow_world_readable_temp: true @@ -88,7 +107,7 @@ - name: Install Wazuh agent. ansible.builtin.import_role: - name: contrib/wazuh/ansible-wazuh-agent + name: wazuh-ansible/roles/wazuh/ansible-wazuh-agent vars: wazuh_managers: "{{ wazuh.agent.managers }}" wazuh_agent_enrollment: @@ -97,5 +116,8 @@ groups: "{{ wazuh.agent.wazuh_agent_enrollment.groups }}" agent_address: "{{ wazuh.agent.wazuh_agent_enrollment.agent_address }}" ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" + wazuh_custom_packages_installation_agent_enabled: false ansible_shell_allow_world_readable_temp: true - when: wazuh.agent.install \ No newline at end of file + wazuh_agent_sources_installation: + enabled: true + when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file From 5956f806cc9a71e19a50e67c899068d4a1f71039 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:20:23 +0100 Subject: [PATCH 059/331] Fixing-wazuh (#1445) --- roles/debian/ce_provision/defaults/main.yml | 2 +- roles/debian/wazuh/tasks/main.yml | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 8f8d508cf..1f3116ba3 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -29,7 +29,7 @@ ce_provision: contrib_roles: - directory: wazuh repo: https://github.com/wazuh/wazuh-ansible.git - branch: stable + branch: "v4.7.2" - directory: systemd_timers repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 2c3799c52..f5b1d774d 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,13 +1,5 @@ --- # Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles -- name: Set the Wazuh version branch for the playbooks and roles. - ansible.builtin.git: - repo: https://github.com/wazuh/wazuh-ansible.git - dest: "{{ wazuh.roles_directory | default('/home/' + user_provision.username + '/.ansible/roles/wazuh-ansible') }}" - version: "{{ wazuh.branch }}" - become: true - become_user: "{{ user_provision.username }}" - delegate_to: localhost - name: Import elastic-stack. ansible.builtin.import_role: From 19d85f32a75ac0b7c26f86ac185f6be4f9969e36 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:42:01 +0100 Subject: [PATCH 060/331] Fixing wazuh pr 2.x (#1447) * Fixing-wazuh * Fixing-wazuh --- roles/debian/wazuh/tasks/install.yml | 112 ++++++++++++++++++++++++ roles/debian/wazuh/tasks/main.yml | 125 +++------------------------ 2 files changed, 124 insertions(+), 113 deletions(-) create mode 100644 roles/debian/wazuh/tasks/install.yml diff --git a/roles/debian/wazuh/tasks/install.yml b/roles/debian/wazuh/tasks/install.yml new file mode 100644 index 000000000..6f9ec930e --- /dev/null +++ b/roles/debian/wazuh/tasks/install.yml @@ -0,0 +1,112 @@ +- name: Import elastic-stack. + ansible.builtin.import_role: + name: "contrib/{{ wazuh_path }}/roles/elastic-stack/ansible-kibana" + +- name: Import opendistro. + ansible.builtin.import_role: + name: "contrib/{{ wazuh_path }}/roles/opendistro/opendistro-kibana" + +- name: Generate certificates. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/wazuh-indexer + delegate_to: localhost + vars: + indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" + instances: "{{ wazuh.indexer.indexer_primary }}" + perform_installation: false + tags: + - generate-certs + +- name: Install Wazuh indexer. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/wazuh-indexer + vars: + single_node: "{{ wazuh.indexer.single_node }}" + domain_name: "{{ wazuh.indexer.domain_name }}" + indexer_cluster_name: "{{ wazuh.indexer.indexer_cluster_name }}" + indexer_node_name: "{{ wazuh.indexer.indexer_node_name }}" + minimum_master_nodes: "{{ wazuh.indexer.minimum_master_nodes }}" + indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" + indexer_node_data: "{{ wazuh.indexer.indexer_node_data }}" + indexer_node_ingest: "{{ wazuh.indexer.indexer_node_ingest }}" + indexer_start_timeout: "{{ wazuh.indexer.indexer_start_timeout }}" + indexer_network_host: "{{ wazuh.indexer.indexer_network_host }}" + indexer_cluster_nodes: "{{ wazuh.indexer.indexer_cluster_nodes }}" + indexer_discovery_nodes: "{{ wazuh.indexer.indexer_discovery_nodes }}" + indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" + indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" + indexer_custom_user: "{{ wazuh.indexer.indexer_custom_user }}" + indexer_custom_user_role: "{{ wazuh.indexer.indexer_custom_user_role }}" + indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" + dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" + instances: "{{ wazuh.indexer.indexer_instances }}" + perform_installation: true + tags: + - install + when: wazuh.indexer.install + +- name: Install Wazuh Manager. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/ansible-wazuh-manager + vars: + wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" + wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" + wazuh_manager_email_from: "{{ wazuh.manager.wazuh_manager_email_from }}" + wazuh_manager_email_maxperhour: "{{ wazuh.manager.wazuh_manager_email_maxperhour }}" + wazuh_manager_email_queue_size: "{{ wazuh.manager.wazuh_manager_email_queue_size }}" + wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" + wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" + wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" + wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" + wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" + wazuh_manager_api: "{{ wazuh.manager.wazuh_manager_api }}" + agent_groups: "{{ wazuh.manager.agent_groups }}" + when: wazuh.manager.install + +- name: Install Filebeat. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/ansible-filebeat-oss + vars: + filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" + filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" + filebeat_output_indexer_hosts: "{{ wazuh.filebeat.filebeat_output_indexer_hosts }}" + filebeat_module_package_url: "{{ wazuh.filebeat.filebeat_module_package_url }}" + filebeat_module_package_name: "{{ wazuh.filebeat.filebeat_module_package_name }}" + indexer_security_user: "{{ wazuh.filebeat.indexer_security_user | default('admin') }}" + indexer_security_password: "{{ wazuh.indexer.indexer_admin_password }}" + when: wazuh.filebeat.install + +- name: Install Wazuh dashboard. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/wazuh-dashboard + vars: + dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" + dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" + dashboard_server_port: "{{ wazuh.dashboard.dashboard_server_port }}" + dashboard_server_name: "{{ wazuh.dashboard.dashboard_server_name }}" + wazuh_api_credentials: "{{ wazuh.dashboard.wazuh_api_credentials }}" + dashboard_security: "{{ wazuh.dashboard.dashboard_security }}" + dashboard_user: "{{ wazuh.dashboard.dashboard_user }}" + dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" + indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" + indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" + indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" + ansible_shell_allow_world_readable_temp: true + when: wazuh.dashboard.install + +- name: Install Wazuh agent. + ansible.builtin.import_role: + name: wazuh-ansible/roles/wazuh/ansible-wazuh-agent + vars: + wazuh_managers: "{{ wazuh.agent.managers }}" + wazuh_agent_enrollment: + enabled: "{{ wazuh.agent.wazuh_agent_enrollment.enabled }}" + agent_name: "{{ wazuh.agent.wazuh_agent_enrollment.agent_name }}" + groups: "{{ wazuh.agent.wazuh_agent_enrollment.groups }}" + agent_address: "{{ wazuh.agent.wazuh_agent_enrollment.agent_address }}" + ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" + wazuh_custom_packages_installation_agent_enabled: false + ansible_shell_allow_world_readable_temp: true + wazuh_agent_sources_installation: + enabled: true + when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index f5b1d774d..8ac70a976 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,115 +1,14 @@ --- # Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles - -- name: Import elastic-stack. - ansible.builtin.import_role: - name: wazuh-ansible/roles/elastic-stack/ansible-kibana - -- name: Import opendistro. - ansible.builtin.import_role: - name: wazuh-ansible/roles/opendistro/opendistro-kibana - -- name: Generate certificates. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer - delegate_to: localhost - vars: - indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" - instances: "{{ wazuh.indexer.indexer_primary }}" - perform_installation: false - tags: - - generate-certs - -- name: Install Wazuh indexer. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer - vars: - single_node: "{{ wazuh.indexer.single_node }}" - domain_name: "{{ wazuh.indexer.domain_name }}" - indexer_cluster_name: "{{ wazuh.indexer.indexer_cluster_name }}" - indexer_node_name: "{{ wazuh.indexer.indexer_node_name }}" - minimum_master_nodes: "{{ wazuh.indexer.minimum_master_nodes }}" - indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" - indexer_node_data: "{{ wazuh.indexer.indexer_node_data }}" - indexer_node_ingest: "{{ wazuh.indexer.indexer_node_ingest }}" - indexer_start_timeout: "{{ wazuh.indexer.indexer_start_timeout }}" - indexer_network_host: "{{ wazuh.indexer.indexer_network_host }}" - indexer_cluster_nodes: "{{ wazuh.indexer.indexer_cluster_nodes }}" - indexer_discovery_nodes: "{{ wazuh.indexer.indexer_discovery_nodes }}" - indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" - indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" - indexer_custom_user: "{{ wazuh.indexer.indexer_custom_user }}" - indexer_custom_user_role: "{{ wazuh.indexer.indexer_custom_user_role }}" - indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" - dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" - instances: "{{ wazuh.indexer.indexer_instances }}" - perform_installation: true - tags: - - install - when: wazuh.indexer.install - -- name: Install Wazuh Manager. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-manager - vars: - wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" - wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" - wazuh_manager_email_from: "{{ wazuh.manager.wazuh_manager_email_from }}" - wazuh_manager_email_maxperhour: "{{ wazuh.manager.wazuh_manager_email_maxperhour }}" - wazuh_manager_email_queue_size: "{{ wazuh.manager.wazuh_manager_email_queue_size }}" - wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" - wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" - wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" - wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" - wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" - wazuh_manager_api: "{{ wazuh.manager.wazuh_manager_api }}" - agent_groups: "{{ wazuh.manager.agent_groups }}" - when: wazuh.manager.install - -- name: Install Filebeat. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-filebeat-oss - vars: - filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" - filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" - filebeat_output_indexer_hosts: "{{ wazuh.filebeat.filebeat_output_indexer_hosts }}" - filebeat_module_package_url: "{{ wazuh.filebeat.filebeat_module_package_url }}" - filebeat_module_package_name: "{{ wazuh.filebeat.filebeat_module_package_name }}" - indexer_security_user: "{{ wazuh.filebeat.indexer_security_user | default('admin') }}" - indexer_security_password: "{{ wazuh.indexer.indexer_admin_password }}" - when: wazuh.filebeat.install - -- name: Install Wazuh dashboard. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-dashboard - vars: - dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" - dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" - dashboard_server_port: "{{ wazuh.dashboard.dashboard_server_port }}" - dashboard_server_name: "{{ wazuh.dashboard.dashboard_server_name }}" - wazuh_api_credentials: "{{ wazuh.dashboard.wazuh_api_credentials }}" - dashboard_security: "{{ wazuh.dashboard.dashboard_security }}" - dashboard_user: "{{ wazuh.dashboard.dashboard_user }}" - dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" - indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" - indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" - indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" - ansible_shell_allow_world_readable_temp: true - when: wazuh.dashboard.install - -- name: Install Wazuh agent. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-agent - vars: - wazuh_managers: "{{ wazuh.agent.managers }}" - wazuh_agent_enrollment: - enabled: "{{ wazuh.agent.wazuh_agent_enrollment.enabled }}" - agent_name: "{{ wazuh.agent.wazuh_agent_enrollment.agent_name }}" - groups: "{{ wazuh.agent.wazuh_agent_enrollment.groups }}" - agent_address: "{{ wazuh.agent.wazuh_agent_enrollment.agent_address }}" - ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" - wazuh_custom_packages_installation_agent_enabled: false - ansible_shell_allow_world_readable_temp: true - wazuh_agent_sources_installation: - enabled: true - when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file +- name: Select items with URL https://github.com/wazuh/wazuh-ansible.git + set_fact: + wazuh_items: "{{ ce_provision.contrib_roles | selectattr('repo', 'equalto', 'https://github.com/wazuh/wazuh-ansible.git') | list }}" + +- name: Set wazuh path + set_fact: + wazuh_path: "{{ wazuh_items.directory }}" + when: wazuh_items | length > 0 + +- name: Include task to install based on selected items + include_tasks: install.yml + when: wazuh_items | length > 0 \ No newline at end of file From 86004d99d3b89d626a69a0da9b0fa8dfcab2f27d Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 20 Feb 2024 14:13:01 +0100 Subject: [PATCH 061/331] Fixing wazuh pr 2.x (#1449) * Fixing-wazuh * Fixing-wazuh * Adding-ansible-builtin-modules * Adding-debug * Fixing-vars --- roles/debian/wazuh/tasks/install.yml | 4 ++-- roles/debian/wazuh/tasks/main.yml | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/roles/debian/wazuh/tasks/install.yml b/roles/debian/wazuh/tasks/install.yml index 6f9ec930e..5d76e3bf5 100644 --- a/roles/debian/wazuh/tasks/install.yml +++ b/roles/debian/wazuh/tasks/install.yml @@ -1,10 +1,10 @@ - name: Import elastic-stack. ansible.builtin.import_role: - name: "contrib/{{ wazuh_path }}/roles/elastic-stack/ansible-kibana" + name: "contrib/{{ _wazuh_path }}/roles/elastic-stack/ansible-kibana" - name: Import opendistro. ansible.builtin.import_role: - name: "contrib/{{ wazuh_path }}/roles/opendistro/opendistro-kibana" + name: "contrib/{{ _wazuh_path }}/roles/opendistro/opendistro-kibana" - name: Generate certificates. ansible.builtin.import_role: diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 8ac70a976..62f54f6b6 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,14 +1,18 @@ --- # Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles - name: Select items with URL https://github.com/wazuh/wazuh-ansible.git - set_fact: - wazuh_items: "{{ ce_provision.contrib_roles | selectattr('repo', 'equalto', 'https://github.com/wazuh/wazuh-ansible.git') | list }}" + ansible.builtin.set_fact: + _wazuh_items: "{{ ce_provision.contrib_roles | selectattr('repo', 'equalto', 'https://github.com/wazuh/wazuh-ansible.git') | list }}" -- name: Set wazuh path - set_fact: - wazuh_path: "{{ wazuh_items.directory }}" - when: wazuh_items | length > 0 +- name: Debug print _wazuh_items + ansible.builtin.debug: + msg: "{{ _wazuh_items }}" + +- name: Set wazuh path based on matching repo + ansible.builtin.set_fact: + _wazuh_path: "{{ _wazuh_items | map(attribute='directory') | first }}" + when: _wazuh_items | length > 0 - name: Include task to install based on selected items - include_tasks: install.yml - when: wazuh_items | length > 0 \ No newline at end of file + ansible.builtin.include_tasks: install.yml + when: _wazuh_items | length > 0 \ No newline at end of file From f59add7471bd3e1423f1aaba8ecada79b89795b4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 20 Feb 2024 18:30:38 +0100 Subject: [PATCH 062/331] Adding clamdscan package to clamav role. (#1452) --- roles/debian/clamav/defaults/main.yml | 1 + roles/debian/clamav/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/roles/debian/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml index 6185d71fa..6dddd32d6 100644 --- a/roles/debian/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -13,3 +13,4 @@ clamav: scan_location: / exclude_directories: - /sys/ + install_clamdscan: false # flag to install additional 'clamdscan' package diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml index 5d27153a8..b84a4f2a6 100644 --- a/roles/debian/clamav/tasks/main.yml +++ b/roles/debian/clamav/tasks/main.yml @@ -29,3 +29,9 @@ timer_command: "{{ clamav.scripts_location }}/clamscan" timer_OnCalendar: "{{ clamav.on_calendar }}" when: clamav.create_timer + +- name: Install clamdscan. + ansible.builtin.apt: + pkg: clamdscan + state: present + when: clamav.install_clamdscan From e5d188c5c78839e40b496605ea0890c7301d186b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 21 Feb 2024 16:55:45 +0100 Subject: [PATCH 063/331] Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. --- roles/_init/defaults/main.yml | 1 + roles/_init/tasks/main.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 01249906a..7b7c06560 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -4,6 +4,7 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 39c368378..357f94c5e 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Version check. + ansible.builtin.debug: + msg: "Using ce-provision {{ _init.ce_provision_version }}" + - name: Check OS family. when: ansible_os_family != "Debian" block: From 1891d5ee5c1dce53802bf2a32cacf6c522d5bef8 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 22 Feb 2024 13:56:35 +0100 Subject: [PATCH 064/331] Fixing-wazuh-vars (#1456) --- roles/debian/wazuh/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 62f54f6b6..d645c49a7 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -13,6 +13,13 @@ _wazuh_path: "{{ _wazuh_items | map(attribute='directory') | first }}" when: _wazuh_items | length > 0 +- name: Debug _wazuh_path before including install.yml + ansible.builtin.debug: + msg: "The value of _wazuh_path is: '{{ _wazuh_path | default('Not set') }}'" + - name: Include task to install based on selected items ansible.builtin.include_tasks: install.yml + file: install.yml + vars: + _wazuh_path: "{{ _wazuh_path }}" when: _wazuh_items | length > 0 \ No newline at end of file From fc01c7cf2ad7369893d8dde9480a4b17a354f9e3 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:19:33 +0100 Subject: [PATCH 065/331] Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting --- roles/debian/wazuh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index d645c49a7..b0be5ac2e 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -18,7 +18,7 @@ msg: "The value of _wazuh_path is: '{{ _wazuh_path | default('Not set') }}'" - name: Include task to install based on selected items - ansible.builtin.include_tasks: install.yml + ansible.builtin.include_tasks: file: install.yml vars: _wazuh_path: "{{ _wazuh_path }}" From e6ea7ba69ee9beda84c746a74e8cd3f9fe969dfe Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 22 Feb 2024 17:32:30 +0100 Subject: [PATCH 066/331] Updating-sury-keys (#1463) --- roles/debian/php-common/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index 7e54dc6cc..08d2a3755 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -2,7 +2,10 @@ - name: Add Sury repository key for PHP. ansible.builtin.apt_key: url: https://packages.sury.org/php/apt.gpg - state: present + state: "{{ item }}" + with_items: + - absent + - present - name: Add Sury repository. ansible.builtin.apt_repository: From d427d4bc869a4d9ba5b5b53f9f6eb55189140d23 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 23 Feb 2024 14:49:38 +0100 Subject: [PATCH 067/331] Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. --- README.md | 6 ++++ docs/roles/_init.md | 1 + docs/roles/aws/aws_cloudfront_distribution.md | 32 ++++++++++++++++++- docs/roles/debian/ce_provision.md | 2 +- docs/roles/debian/clamav.md | 1 + docs/roles/debian/ssl.md | 7 ++-- docs/roles/debian/wazuh.md | 2 ++ roles/_init/README.md | 1 + .../aws/aws_cloudfront_distribution/README.md | 32 ++++++++++++++++++- roles/debian/ce_provision/README.md | 2 +- roles/debian/clamav/README.md | 1 + roles/debian/ssl/README.md | 7 ++-- roles/debian/ssl/defaults/main.yml | 2 ++ roles/debian/ssl/tasks/copy.yml | 11 ++----- roles/debian/ssl/tasks/generate.yml | 16 ++++++++-- roles/debian/ssl/tasks/letsencrypt.yml | 10 +++--- roles/debian/wazuh/README.md | 2 ++ 17 files changed, 112 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index f07ed406a..30976cf5f 100644 --- a/README.md +++ b/README.md @@ -28,3 +28,9 @@ Ansible roles and group of roles that constitute the deploy stack. ### [Documentation](contribute/README.md#documentation) + + + + + +Made with [contrib.rocks](https://contrib.rocks). diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 938906ddf..b51e3f41d 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -14,6 +14,7 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md index f45a01af6..63952a71c 100644 --- a/docs/roles/aws/aws_cloudfront_distribution.md +++ b/docs/roles/aws/aws_cloudfront_distribution.md @@ -7,6 +7,32 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- +# Uncomment cf_acl to create firewall rules for Cloudfront distro +#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) +#cf_acl: +# acl_name: "dummy_master_acl" +# scope: "CLOUDFRONT" # Can be "REGIONAL" +# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped +# +# ip_allow +# name: "Allowed-ips" +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 3.3.3.3/32 +# +# ip_block: +# name: "Blocked-ips" +# list: +# - 4.4.4.4/32 +# - 5.5.5.5/32 +# - 6.6.6.6/32 +# +# cc_block_list: +# - BY # Belarus +# - CN # China +# - IR # Iran +# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -69,7 +95,11 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. - +# logging: +# bucket: "" # URL of S3 bucket to store logs +# enabled: false # Set true to allow logging +# include_cookies: false # Set true to add cookies in logs +# prefix: "" # Prefix for S3 object names ``` diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index dba324120..075b48323 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -37,7 +37,7 @@ ce_provision: contrib_roles: - directory: wazuh repo: https://github.com/wazuh/wazuh-ansible.git - branch: stable + branch: "v4.7.2" - directory: systemd_timers repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 8ce643b7e..4e01840ea 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -24,6 +24,7 @@ clamav: scan_location: / exclude_directories: - /sys/ + install_clamdscan: false # flag to install additional 'clamdscan' package ``` diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md index 33a5ee801..102e90cc3 100644 --- a/docs/roles/debian/ssl.md +++ b/docs/roles/debian/ssl.md @@ -1,10 +1,11 @@ # SSL -Manages SSL certificates. +Manages SSL certificates on servers. See the `aws/aws_acm` role for SSL handling in AWS services. -If you are using LetsEncrypt for handling it assume `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work: +## LetsEncrypt +If you are using LetsEncrypt for handling it assumes `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work: * You must have firewalls open to allow traffic to ports 80 and/or 443, regardless of your configuration * LetsEncrypt's certbot application will try to use port 80, if this will not be possible you can either: @@ -72,6 +73,8 @@ ssl: 79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn 6XoQQlb5mYuLKCzAZws9uceeVH+z -----END PRIVATE KEY----- + # Set this to true to have Ansible replace the existing certificate. + replace_existing: false # For "letsencrypt" handling. email: admin@example.com diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index bc92ecc6d..e7cba9b35 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -11,6 +11,8 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: + #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible + branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: diff --git a/roles/_init/README.md b/roles/_init/README.md index 938906ddf..b51e3f41d 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -14,6 +14,7 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md index f45a01af6..63952a71c 100644 --- a/roles/aws/aws_cloudfront_distribution/README.md +++ b/roles/aws/aws_cloudfront_distribution/README.md @@ -7,6 +7,32 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- +# Uncomment cf_acl to create firewall rules for Cloudfront distro +#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) +#cf_acl: +# acl_name: "dummy_master_acl" +# scope: "CLOUDFRONT" # Can be "REGIONAL" +# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped +# +# ip_allow +# name: "Allowed-ips" +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 3.3.3.3/32 +# +# ip_block: +# name: "Blocked-ips" +# list: +# - 4.4.4.4/32 +# - 5.5.5.5/32 +# - 6.6.6.6/32 +# +# cc_block_list: +# - BY # Belarus +# - CN # China +# - IR # Iran +# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -69,7 +95,11 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. - +# logging: +# bucket: "" # URL of S3 bucket to store logs +# enabled: false # Set true to allow logging +# include_cookies: false # Set true to add cookies in logs +# prefix: "" # Prefix for S3 object names ``` diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index dba324120..075b48323 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -37,7 +37,7 @@ ce_provision: contrib_roles: - directory: wazuh repo: https://github.com/wazuh/wazuh-ansible.git - branch: stable + branch: "v4.7.2" - directory: systemd_timers repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 8ce643b7e..4e01840ea 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -24,6 +24,7 @@ clamav: scan_location: / exclude_directories: - /sys/ + install_clamdscan: false # flag to install additional 'clamdscan' package ``` diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index 33a5ee801..102e90cc3 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -1,10 +1,11 @@ # SSL -Manages SSL certificates. +Manages SSL certificates on servers. See the `aws/aws_acm` role for SSL handling in AWS services. -If you are using LetsEncrypt for handling it assume `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work: +## LetsEncrypt +If you are using LetsEncrypt for handling it assumes `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work: * You must have firewalls open to allow traffic to ports 80 and/or 443, regardless of your configuration * LetsEncrypt's certbot application will try to use port 80, if this will not be possible you can either: @@ -72,6 +73,8 @@ ssl: 79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn 6XoQQlb5mYuLKCzAZws9uceeVH+z -----END PRIVATE KEY----- + # Set this to true to have Ansible replace the existing certificate. + replace_existing: false # For "letsencrypt" handling. email: admin@example.com diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml index adfb9a137..67b8952fc 100644 --- a/roles/debian/ssl/defaults/main.yml +++ b/roles/debian/ssl/defaults/main.yml @@ -24,6 +24,8 @@ ssl: 79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn 6XoQQlb5mYuLKCzAZws9uceeVH+z -----END PRIVATE KEY----- + # Set this to true to have Ansible replace the existing certificate. + replace_existing: false # For "letsencrypt" handling. email: admin@example.com diff --git a/roles/debian/ssl/tasks/copy.yml b/roles/debian/ssl/tasks/copy.yml index d2622d89e..da9e2d599 100644 --- a/roles/debian/ssl/tasks/copy.yml +++ b/roles/debian/ssl/tasks/copy.yml @@ -1,9 +1,4 @@ --- -- name: Check if we have an existing SSL key. - ansible.builtin.stat: - path: "{{ ssl_facts[certificate_domain].key }}" - register: ssl_key - - name: Copy public cert file to destination ansible.builtin.copy: content: "{{ ssl.cert }}" @@ -11,7 +6,7 @@ owner: root group: root mode: 0644 - when: not ssl_key.stat.exists + force: "{{ ssl.replace_existing }}" - name: Copy CA cert file to destination ansible.builtin.copy: @@ -20,8 +15,8 @@ owner: root group: root mode: 0644 + force: "{{ ssl.replace_existing }}" when: - - not ssl_key.stat.exists - ssl.ca_cert is defined - name: Copy private key file to destination @@ -31,4 +26,4 @@ owner: root group: root mode: 0400 - when: not ssl_key.stat.exists + force: "{{ ssl.replace_existing }}" diff --git a/roles/debian/ssl/tasks/generate.yml b/roles/debian/ssl/tasks/generate.yml index df7df8770..ac56ebc96 100644 --- a/roles/debian/ssl/tasks/generate.yml +++ b/roles/debian/ssl/tasks/generate.yml @@ -2,8 +2,20 @@ - name: Check if we have an existing SSL key. ansible.builtin.stat: path: "{{ ssl_facts[certificate_domain].key }}" - register: ssl_key + register: _ssl_key + +- name: Delete existing SSL key. + ansible.builtin.file: + path: "{{ ssl_facts[certificate_domain].key }}" + state: absent + when: ssl.replace_existing + +- name: Delete existing SSL cert. + ansible.builtin.file: + path: "{{ ssl_facts[certificate_domain].certificate }}" + state: absent + when: ssl.replace_existing - name: Generates a new key/cert. ansible.builtin.command: "openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj '/C=GB/ST=Test/L=London/O=CodeEnigma/OU=Test/CN={{ certificate_domain }}' -keyout {{ ssl_facts[certificate_domain].key }} -out {{ ssl_facts[certificate_domain].certificate }}" - when: not ssl_key.stat.exists + when: not _ssl_key.stat.exists or ssl.replace_existing diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 65ff333b4..c40faef68 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -31,7 +31,7 @@ - name: Check if we have a certificate. ansible.builtin.stat: path: "{{ ssl_facts[_ssl_domains[0]].certificate }}" # it's sufficient to check the first domain for a SAN cert - register: letsencrypt_cert + register: _letsencrypt_cert - name: Stop services listening on port 80. ansible.builtin.service: @@ -41,7 +41,7 @@ loop_control: loop_var: ssl_service when: - - not letsencrypt_cert.stat.exists + - not _letsencrypt_cert.stat.exists - _ssl_services | length > 0 - name: Build certificate domains string. @@ -50,12 +50,12 @@ with_items: "{{ _ssl_domains }}" loop_control: loop_var: certificate_domain - when: not letsencrypt_cert.stat.exists + when: not _letsencrypt_cert.stat.exists - name: Register certificate bypassing web server if needed. ansible.builtin.command: "{{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}" when: - - not letsencrypt_cert.stat.exists + - not _letsencrypt_cert.stat.exists - name: Restart services. ansible.builtin.service: @@ -65,7 +65,7 @@ loop_control: loop_var: ssl_service when: - - not letsencrypt_cert.stat.exists + - not _letsencrypt_cert.stat.exists - _ssl_services | length > 0 # Because of the scripted command each SSL implementation needs it's own uniquely named cron script. diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index bc92ecc6d..e7cba9b35 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -11,6 +11,8 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: + #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible + branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml agent: From 830b3f287ce4ccf1c06b6ddcaf5cb5b85e895be9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 23 Feb 2024 18:31:54 +0100 Subject: [PATCH 068/331] Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. --- roles/_meta/common_base/meta/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 7a79993e8..70c522c53 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -44,12 +44,12 @@ dependencies: when: is_local is not defined or not is_local - role: debian/ansible ce_ansible: - venv_path: "/home/{{ ce_provision.username }}/ansible" + venv_path: "/home/{{ user_provision.username }}/ansible" venv_command: "/usr/bin/python3 -m venv" - install_username: "{{ ce_provision.username }}" + install_username: "{{ user_provision.username }}" upgrade: enabled: true - command: "/home/{{ ce_provision.username }}/ansible/bin/python3 -m pip install --upgrade ansible" + command: "/home/{{ user_provision.username }}/ansible/bin/python3 -m pip install --upgrade ansible" on_calendar: "*-*-* 01:30:00" timer_name: upgrade_ansible linters: From 4d738acb9ee8269cfe00509e9bcc111498ece7b6 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:24:28 +0100 Subject: [PATCH 069/331] Fixing-wazuh-variables (#1473) --- roles/debian/wazuh/tasks/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index b0be5ac2e..0b3c881d0 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -18,8 +18,6 @@ msg: "The value of _wazuh_path is: '{{ _wazuh_path | default('Not set') }}'" - name: Include task to install based on selected items - ansible.builtin.include_tasks: + ansible.builtin.import_tasks: file: install.yml - vars: - _wazuh_path: "{{ _wazuh_path }}" when: _wazuh_items | length > 0 \ No newline at end of file From 64c1317d74bbe580743539dbe55a528ea34bc6b3 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 27 Feb 2024 17:50:26 +0100 Subject: [PATCH 070/331] Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location --- roles/debian/wazuh/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index aa3a0b0c6..9ea1646b1 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -1,4 +1,6 @@ --- +_wazuh_path: "" + wazuh: #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! From ded19fd9decb3d1b531f89f3a2ca81c696f9699f Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:33:37 +0100 Subject: [PATCH 071/331] Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path --- roles/debian/wazuh/defaults/main.yml | 3 +- roles/debian/wazuh/tasks/install.yml | 112 ----------------------- roles/debian/wazuh/tasks/main.yml | 127 +++++++++++++++++++++++---- 3 files changed, 109 insertions(+), 133 deletions(-) delete mode 100644 roles/debian/wazuh/tasks/install.yml diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 9ea1646b1..4ea2fafc0 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -1,7 +1,6 @@ --- -_wazuh_path: "" - wazuh: + path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default diff --git a/roles/debian/wazuh/tasks/install.yml b/roles/debian/wazuh/tasks/install.yml deleted file mode 100644 index 5d76e3bf5..000000000 --- a/roles/debian/wazuh/tasks/install.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: Import elastic-stack. - ansible.builtin.import_role: - name: "contrib/{{ _wazuh_path }}/roles/elastic-stack/ansible-kibana" - -- name: Import opendistro. - ansible.builtin.import_role: - name: "contrib/{{ _wazuh_path }}/roles/opendistro/opendistro-kibana" - -- name: Generate certificates. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer - delegate_to: localhost - vars: - indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" - instances: "{{ wazuh.indexer.indexer_primary }}" - perform_installation: false - tags: - - generate-certs - -- name: Install Wazuh indexer. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-indexer - vars: - single_node: "{{ wazuh.indexer.single_node }}" - domain_name: "{{ wazuh.indexer.domain_name }}" - indexer_cluster_name: "{{ wazuh.indexer.indexer_cluster_name }}" - indexer_node_name: "{{ wazuh.indexer.indexer_node_name }}" - minimum_master_nodes: "{{ wazuh.indexer.minimum_master_nodes }}" - indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" - indexer_node_data: "{{ wazuh.indexer.indexer_node_data }}" - indexer_node_ingest: "{{ wazuh.indexer.indexer_node_ingest }}" - indexer_start_timeout: "{{ wazuh.indexer.indexer_start_timeout }}" - indexer_network_host: "{{ wazuh.indexer.indexer_network_host }}" - indexer_cluster_nodes: "{{ wazuh.indexer.indexer_cluster_nodes }}" - indexer_discovery_nodes: "{{ wazuh.indexer.indexer_discovery_nodes }}" - indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" - indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" - indexer_custom_user: "{{ wazuh.indexer.indexer_custom_user }}" - indexer_custom_user_role: "{{ wazuh.indexer.indexer_custom_user_role }}" - indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" - dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" - instances: "{{ wazuh.indexer.indexer_instances }}" - perform_installation: true - tags: - - install - when: wazuh.indexer.install - -- name: Install Wazuh Manager. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-manager - vars: - wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" - wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" - wazuh_manager_email_from: "{{ wazuh.manager.wazuh_manager_email_from }}" - wazuh_manager_email_maxperhour: "{{ wazuh.manager.wazuh_manager_email_maxperhour }}" - wazuh_manager_email_queue_size: "{{ wazuh.manager.wazuh_manager_email_queue_size }}" - wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" - wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" - wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" - wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" - wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" - wazuh_manager_api: "{{ wazuh.manager.wazuh_manager_api }}" - agent_groups: "{{ wazuh.manager.agent_groups }}" - when: wazuh.manager.install - -- name: Install Filebeat. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-filebeat-oss - vars: - filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" - filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" - filebeat_output_indexer_hosts: "{{ wazuh.filebeat.filebeat_output_indexer_hosts }}" - filebeat_module_package_url: "{{ wazuh.filebeat.filebeat_module_package_url }}" - filebeat_module_package_name: "{{ wazuh.filebeat.filebeat_module_package_name }}" - indexer_security_user: "{{ wazuh.filebeat.indexer_security_user | default('admin') }}" - indexer_security_password: "{{ wazuh.indexer.indexer_admin_password }}" - when: wazuh.filebeat.install - -- name: Install Wazuh dashboard. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/wazuh-dashboard - vars: - dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" - dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" - dashboard_server_port: "{{ wazuh.dashboard.dashboard_server_port }}" - dashboard_server_name: "{{ wazuh.dashboard.dashboard_server_name }}" - wazuh_api_credentials: "{{ wazuh.dashboard.wazuh_api_credentials }}" - dashboard_security: "{{ wazuh.dashboard.dashboard_security }}" - dashboard_user: "{{ wazuh.dashboard.dashboard_user }}" - dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" - indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" - indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" - indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" - ansible_shell_allow_world_readable_temp: true - when: wazuh.dashboard.install - -- name: Install Wazuh agent. - ansible.builtin.import_role: - name: wazuh-ansible/roles/wazuh/ansible-wazuh-agent - vars: - wazuh_managers: "{{ wazuh.agent.managers }}" - wazuh_agent_enrollment: - enabled: "{{ wazuh.agent.wazuh_agent_enrollment.enabled }}" - agent_name: "{{ wazuh.agent.wazuh_agent_enrollment.agent_name }}" - groups: "{{ wazuh.agent.wazuh_agent_enrollment.groups }}" - agent_address: "{{ wazuh.agent.wazuh_agent_enrollment.agent_address }}" - ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" - wazuh_custom_packages_installation_agent_enabled: false - ansible_shell_allow_world_readable_temp: true - wazuh_agent_sources_installation: - enabled: true - when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 0b3c881d0..1b081b56a 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,23 +1,112 @@ ---- -# Assumes you have run the ce_provision role on your controller and it has already installed the Wazuh roles -- name: Select items with URL https://github.com/wazuh/wazuh-ansible.git - ansible.builtin.set_fact: - _wazuh_items: "{{ ce_provision.contrib_roles | selectattr('repo', 'equalto', 'https://github.com/wazuh/wazuh-ansible.git') | list }}" +- name: Import elastic-stack. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/elastic-stack/ansible-kibana" -- name: Debug print _wazuh_items - ansible.builtin.debug: - msg: "{{ _wazuh_items }}" +- name: Import opendistro. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/opendistro/opendistro-kibana" -- name: Set wazuh path based on matching repo - ansible.builtin.set_fact: - _wazuh_path: "{{ _wazuh_items | map(attribute='directory') | first }}" - when: _wazuh_items | length > 0 +- name: Generate certificates. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/wazuh-indexer" + delegate_to: localhost + vars: + indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" + instances: "{{ wazuh.indexer.indexer_primary }}" + perform_installation: false + tags: + - generate-certs -- name: Debug _wazuh_path before including install.yml - ansible.builtin.debug: - msg: "The value of _wazuh_path is: '{{ _wazuh_path | default('Not set') }}'" +- name: Install Wazuh indexer. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/wazuh-indexer" + vars: + single_node: "{{ wazuh.indexer.single_node }}" + domain_name: "{{ wazuh.indexer.domain_name }}" + indexer_cluster_name: "{{ wazuh.indexer.indexer_cluster_name }}" + indexer_node_name: "{{ wazuh.indexer.indexer_node_name }}" + minimum_master_nodes: "{{ wazuh.indexer.minimum_master_nodes }}" + indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}" + indexer_node_data: "{{ wazuh.indexer.indexer_node_data }}" + indexer_node_ingest: "{{ wazuh.indexer.indexer_node_ingest }}" + indexer_start_timeout: "{{ wazuh.indexer.indexer_start_timeout }}" + indexer_network_host: "{{ wazuh.indexer.indexer_network_host }}" + indexer_cluster_nodes: "{{ wazuh.indexer.indexer_cluster_nodes }}" + indexer_discovery_nodes: "{{ wazuh.indexer.indexer_discovery_nodes }}" + indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" + indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" + indexer_custom_user: "{{ wazuh.indexer.indexer_custom_user }}" + indexer_custom_user_role: "{{ wazuh.indexer.indexer_custom_user_role }}" + indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" + dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" + instances: "{{ wazuh.indexer.indexer_instances }}" + perform_installation: true + tags: + - install + when: wazuh.indexer.install -- name: Include task to install based on selected items - ansible.builtin.import_tasks: - file: install.yml - when: _wazuh_items | length > 0 \ No newline at end of file +- name: Install Wazuh Manager. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/ansible-wazuh-manager" + vars: + wazuh_manager_mailto: "{{ wazuh.manager.wazuh_manager_mailto }}" + wazuh_manager_email_smtp_server: "{{ wazuh.manager.wazuh_manager_email_smtp_server }}" + wazuh_manager_email_from: "{{ wazuh.manager.wazuh_manager_email_from }}" + wazuh_manager_email_maxperhour: "{{ wazuh.manager.wazuh_manager_email_maxperhour }}" + wazuh_manager_email_queue_size: "{{ wazuh.manager.wazuh_manager_email_queue_size }}" + wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" + wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" + wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" + wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" + wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" + wazuh_manager_api: "{{ wazuh.manager.wazuh_manager_api }}" + agent_groups: "{{ wazuh.manager.agent_groups }}" + when: wazuh.manager.install + +- name: Install Filebeat. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/ansible-filebeat-oss" + vars: + filebeat_version: "{{ wazuh.filebeat.filebeat_version }}" + filebeat_node_name: "{{ wazuh.filebeat.filebeat_node_name }}" + filebeat_output_indexer_hosts: "{{ wazuh.filebeat.filebeat_output_indexer_hosts }}" + filebeat_module_package_url: "{{ wazuh.filebeat.filebeat_module_package_url }}" + filebeat_module_package_name: "{{ wazuh.filebeat.filebeat_module_package_name }}" + indexer_security_user: "{{ wazuh.filebeat.indexer_security_user | default('admin') }}" + indexer_security_password: "{{ wazuh.indexer.indexer_admin_password }}" + when: wazuh.filebeat.install + +- name: Install Wazuh dashboard. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/wazuh-dashboard" + vars: + dashboard_node_name: "{{ wazuh.dashboard.dashboard_node_name }}" + dashboard_server_host: "{{ wazuh.dashboard.dashboard_server_host }}" + dashboard_server_port: "{{ wazuh.dashboard.dashboard_server_port }}" + dashboard_server_name: "{{ wazuh.dashboard.dashboard_server_name }}" + wazuh_api_credentials: "{{ wazuh.dashboard.wazuh_api_credentials }}" + dashboard_security: "{{ wazuh.dashboard.dashboard_security }}" + dashboard_user: "{{ wazuh.dashboard.dashboard_user }}" + dashboard_password: "{{ wazuh.dashboard.dashboard_password }}" + indexer_admin_password: "{{ wazuh.indexer.indexer_admin_password }}" + indexer_http_port: "{{ wazuh.indexer.indexer_http_port }}" + indexer_api_protocol: "{{ wazuh.indexer.indexer_api_protocol }}" + ansible_shell_allow_world_readable_temp: true + when: wazuh.dashboard.install + +- name: Install Wazuh agent. + ansible.builtin.import_role: + name: "contrib/{{ wazuh.path }}/roles/wazuh/ansible-wazuh-agent" + vars: + wazuh_managers: "{{ wazuh.agent.managers }}" + wazuh_agent_enrollment: + enabled: "{{ wazuh.agent.wazuh_agent_enrollment.enabled }}" + agent_name: "{{ wazuh.agent.wazuh_agent_enrollment.agent_name }}" + groups: "{{ wazuh.agent.wazuh_agent_enrollment.groups }}" + agent_address: "{{ wazuh.agent.wazuh_agent_enrollment.agent_address }}" + ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" + wazuh_custom_packages_installation_agent_enabled: false + ansible_shell_allow_world_readable_temp: true + wazuh_agent_sources_installation: + enabled: true + when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file From 108b8f2cdb54233e990cd95fb28609c8e13b47b3 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 1 Mar 2024 13:37:34 +0100 Subject: [PATCH 072/331] Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. --- docs/_Sidebar.md | 2 +- docs/roles/debian/varnish_config.md | 21 +++++++++++++++++-- docs/roles/debian/wazuh.md | 1 + roles/debian/varnish_config/README.md | 21 +++++++++++++++++-- roles/debian/varnish_config/defaults/main.yml | 4 +++- roles/debian/varnish_config/tasks/main.yml | 8 +++++-- roles/debian/wazuh/README.md | 1 + 7 files changed, 50 insertions(+), 8 deletions(-) diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 5a5213a0b..64e7a00dc 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -77,7 +77,7 @@ - [SSL](/roles/debian/ssl) - [sudo config](/roles/debian/sudo_config) - [Swap](/roles/debian/swap) - - [varnish-config](/roles/debian/varnish_config) + - [varnish_config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) - [Init role](/roles/_init) - ["Meta" roles that group individual roles together.](/roles/_meta) diff --git a/docs/roles/debian/varnish_config.md b/docs/roles/debian/varnish_config.md index 875136ad8..59483d046 100644 --- a/docs/roles/debian/varnish_config.md +++ b/docs/roles/debian/varnish_config.md @@ -1,5 +1,19 @@ -# varnish-config -Installs and configures Varnish, with 6.4 being the default version. Depends on geerlingguy.varnish which does the setup bit, varnish-config handles the default.vcl file. +# varnish_config +Installs and configures Varnish, with 6.4 being the default version. Depends on `geerlingguy.varnish` which does the setup bit, `varnish_config` handles the `default.vcl` file. + +You can provide a template override in two locations, they will be checked in this order: +* `templates` in the same directory as your server's playbook +* `files/templates` in your `ce-provision-config` repository + +If no alternative is found, the `default.vcl.j2` template provided with this role is used. By default the override template is expected to be named `default.vcl.j2`, however if you set `varnish_config.template_filename` you can change this. For example, if you place a template at `files/templates/my-app.v1.vcl.j2` in your config repository, you need to set the variable as follows, note *without* the `.j2` which is implicit: + +```yaml +varnish_config: + template_filename: my-app.v1.vcl +``` + +This behaviour allows you to manage different Varnish templates for different applications. You may of course provide your own variables in the `varnish_config` dictionary for your custom template. + @@ -23,6 +37,9 @@ varnish_config: strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]* # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs. upstream_proxies: [] + # Provide an alternative filename if you are providing a template. + template_filename: default.vcl + ``` diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index e7cba9b35..f6efaa7ca 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -11,6 +11,7 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: + path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default diff --git a/roles/debian/varnish_config/README.md b/roles/debian/varnish_config/README.md index 875136ad8..59483d046 100644 --- a/roles/debian/varnish_config/README.md +++ b/roles/debian/varnish_config/README.md @@ -1,5 +1,19 @@ -# varnish-config -Installs and configures Varnish, with 6.4 being the default version. Depends on geerlingguy.varnish which does the setup bit, varnish-config handles the default.vcl file. +# varnish_config +Installs and configures Varnish, with 6.4 being the default version. Depends on `geerlingguy.varnish` which does the setup bit, `varnish_config` handles the `default.vcl` file. + +You can provide a template override in two locations, they will be checked in this order: +* `templates` in the same directory as your server's playbook +* `files/templates` in your `ce-provision-config` repository + +If no alternative is found, the `default.vcl.j2` template provided with this role is used. By default the override template is expected to be named `default.vcl.j2`, however if you set `varnish_config.template_filename` you can change this. For example, if you place a template at `files/templates/my-app.v1.vcl.j2` in your config repository, you need to set the variable as follows, note *without* the `.j2` which is implicit: + +```yaml +varnish_config: + template_filename: my-app.v1.vcl +``` + +This behaviour allows you to manage different Varnish templates for different applications. You may of course provide your own variables in the `varnish_config` dictionary for your custom template. + @@ -23,6 +37,9 @@ varnish_config: strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]* # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs. upstream_proxies: [] + # Provide an alternative filename if you are providing a template. + template_filename: default.vcl + ``` diff --git a/roles/debian/varnish_config/defaults/main.yml b/roles/debian/varnish_config/defaults/main.yml index ef16fcd9a..38f9bd90e 100644 --- a/roles/debian/varnish_config/defaults/main.yml +++ b/roles/debian/varnish_config/defaults/main.yml @@ -14,4 +14,6 @@ varnish_config: redirect_host_destination: "" strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]* # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs. - upstream_proxies: [] \ No newline at end of file + upstream_proxies: [] + # Provide an alternative filename if you are providing a template. + template_filename: default.vcl diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml index 98f243aa3..7f8929355 100644 --- a/roles/debian/varnish_config/tasks/main.yml +++ b/roles/debian/varnish_config/tasks/main.yml @@ -1,11 +1,15 @@ --- - name: Copy Varnish default VCL. ansible.builtin.template: - src: "default.vcl.j2" + src: "{{ item }}" dest: "{{ varnish_config_path }}/default.vcl" owner: root group: root mode: 0644 + with_first_found: + - "{{ playbook_dir }}/templates/{{ varnish_config.template_filename }}.j2" + - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2" + - "default.vcl.j2" notify: - reload systemd - - restart varnish \ No newline at end of file + - restart varnish diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index e7cba9b35..f6efaa7ca 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -11,6 +11,7 @@ Supports standalone managers, scaled out services and agent installation (defaul ```yaml --- wazuh: + path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version! # Agent variables, installed locally by default From a673e2749a4e713136dc8f87c7e4e9fbeebe81a3 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 11 Mar 2024 14:33:15 +0100 Subject: [PATCH 073/331] Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. --- roles/debian/varnish_config/templates/default.vcl.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/debian/varnish_config/templates/default.vcl.j2 b/roles/debian/varnish_config/templates/default.vcl.j2 index a2a6c480e..d9dd109bf 100644 --- a/roles/debian/varnish_config/templates/default.vcl.j2 +++ b/roles/debian/varnish_config/templates/default.vcl.j2 @@ -24,6 +24,8 @@ acl purge { # List of upstream proxies we trust to set X-Forwarded-For correctly. acl upstream_proxy { + "localhost"; + "127.0.0.1"; {% for proxy in varnish_config.upstream_proxies %} "{{ proxy }}"; {% endfor %} @@ -78,7 +80,7 @@ sub vcl_recv { } } -{% if varnish_config.redirect_host%} +{% if varnish_config.redirect_host %} if (req.http.host ~ "^{{ varnish_config.redirect_host }}") { return (synth (750, "")); } From 5cce0452912c9ddefc4829f64daf97dcce08ec18 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 11 Mar 2024 14:33:32 +0100 Subject: [PATCH 074/331] Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. --- docs/roles/debian/apache.md | 8 +++++--- docs/roles/debian/postfix.md | 11 ++++++++++- roles/debian/apache/README.md | 8 +++++--- roles/debian/apache/defaults/main.yml | 8 +++++--- roles/debian/postfix/README.md | 11 ++++++++++- roles/debian/postfix/defaults/main.yml | 7 +++++++ roles/debian/postfix/templates/main.cf.j2 | 13 ++++++++++++- 7 files changed, 54 insertions(+), 12 deletions(-) diff --git a/docs/roles/debian/apache.md b/docs/roles/debian/apache.md index 1cf82d612..c39087ef8 100644 --- a/docs/roles/debian/apache.md +++ b/docs/roles/debian/apache.md @@ -55,16 +55,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index 0abe2aa0b..e63f3b70a 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -1,5 +1,7 @@ # Postfix -Installs and configures Postfix for sending mail. Mail sending is disabled by default. +Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps. + +Full TLS SMTP support is optional by enabling SSL. @@ -36,6 +38,13 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt ``` diff --git a/roles/debian/apache/README.md b/roles/debian/apache/README.md index 1cf82d612..c39087ef8 100644 --- a/roles/debian/apache/README.md +++ b/roles/debian/apache/README.md @@ -55,16 +55,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false diff --git a/roles/debian/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml index e08cb15b4..0b187f183 100644 --- a/roles/debian/apache/defaults/main.yml +++ b/roles/debian/apache/defaults/main.yml @@ -45,16 +45,18 @@ apache: handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: # handling: letsencrypt - # http_01_port: 5000 + # http_01_port: 80 # autorenew: true # email: sysadm@codeenigma.com - # services: [] + # services: + # - apache2 # web_server: standalone # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # reload_command: restart # reload: - # - apache + # - apache2 + # on_calendar: "Mon *-*-* 04:00:00" is_default: true basic_auth: auth_enabled: false diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index 0abe2aa0b..e63f3b70a 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -1,5 +1,7 @@ # Postfix -Installs and configures Postfix for sending mail. Mail sending is disabled by default. +Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps. + +Full TLS SMTP support is optional by enabling SSL. @@ -36,6 +38,13 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt ``` diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index e0f09c009..10e373b83 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -27,3 +27,10 @@ postfix: aliases: [] #- user: root # alias: admin@example.com + # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere + ssl: + enabled: false + smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem + smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem + smtp_tls_CApath: /etc/ssl/certs + smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 index d4dfa9853..4021d5b45 100644 --- a/roles/debian/postfix/templates/main.cf.j2 +++ b/roles/debian/postfix/templates/main.cf.j2 @@ -37,9 +37,20 @@ non_smtpd_milters = inet:localhost:8891 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +{% endif %} +{% if postfix.use_ses or postfix.ssl.enabled %} smtp_use_tls = yes smtp_tls_note_starttls_offer = yes -smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +smtp_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} +smtp_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} +{% endif %} +{% if postfix.ssl.enabled %} +smtp_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} +smtp_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} +smtpd_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} +smtpd_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} +smtpd_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} +smtpd_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} {% endif %} {% if (is_local is defined) and is_local %} # Force all mail to ce-dev user. From a6b616709286282bd19f588659372c127416500a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:29:43 +0100 Subject: [PATCH 075/331] Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar --- roles/aws/acl/defaults/main.yml | 26 ++++++ .../create_acl.yml => acl/tasks/main.yml} | 84 +++++++++++-------- .../tasks/main.yml | 5 +- 3 files changed, 80 insertions(+), 35 deletions(-) create mode 100644 roles/aws/acl/defaults/main.yml rename roles/aws/{aws_cloudfront_distribution/tasks/create_acl.yml => acl/tasks/main.yml} (68%) diff --git a/roles/aws/acl/defaults/main.yml b/roles/aws/acl/defaults/main.yml new file mode 100644 index 000000000..c1c2e0c3a --- /dev/null +++ b/roles/aws/acl/defaults/main.yml @@ -0,0 +1,26 @@ +--- +rate_limit: 200 +acl: + name: "dummy_master_acl" + scope: "CLOUDFRONT" # Can be "REGIONAL" for ALBs + region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + + ip_allow: + name: "Allowed-ips" + list: + - 1.1.1.1/32 + - 2.2.2.2/32 + - 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: + - 4.4.4.4/32 + - 5.5.5.5/32 + - 6.6.6.6/32 + + cc_block_list: + - BY # Belarus + - CN # China + - IR # Iran + - SA # Saudi Arabia \ No newline at end of file diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml b/roles/aws/acl/tasks/main.yml similarity index 68% rename from roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml rename to roles/aws/acl/tasks/main.yml index fa1cdde99..8bf6efb80 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml +++ b/roles/aws/acl/tasks/main.yml @@ -2,25 +2,58 @@ ansible.builtin.set_fact: acl_rules: [] +- name: Set IP block rule + when: acl.ip_block is defined + block: + - name: Create IP block set for WAF + community.aws.wafv2_ip_set: + name: "{{ acl.ip_block.name }}" + state: present + description: Set of blocked IPs + scope: "{{ acl.scope }}" + region: "{{ acl.region }}" + ip_address_version: IPV4 + addresses: "{{ acl.ip_block.list }}" + register: ip_set_info + + - name: Create IP block rule + ansible.builtin.set_fact: + ip_block_rule: + - name: "{{ acl.ip_block.name }}" + priority: 0 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: Block_IPs + statement: + ip_set_reference_statement: + arn: "{{ ip_set_info.arn }}" + + - name: Add rule to list + ansible.builtin.set_fact: + acl_rules: "{{ acl_rules + ip_block_rule }}" + - name: Set IP allow rule - when: cf_acl.ip_allow is defined + when: acl.ip_allow is defined block: - name: Create IP allow set for WAF community.aws.wafv2_ip_set: - name: "{{ cf_acl.ip_allow.name }}" + name: "{{ acl.ip_allow.name }}" state: present description: Set of allowed IPs - scope: "{{ cf_acl.scope }}" - region: "{{ cf_acl.region }}" + scope: "{{ acl.scope }}" + region: "{{ acl.region }}" ip_address_version: IPV4 - addresses: "{{ cf_acl.ip_allow.list }}" + addresses: "{{ acl.ip_allow.list }}" register: ip_set_info - name: Create IP allow rule ansible.builtin.set_fact: ip_allow_rule: - - name: allow_ips - priority: 0 + - name: "{{ acl.ip_allow.name }}" + priority: 1 action: allow: {} visibility_config: @@ -35,25 +68,14 @@ ansible.builtin.set_fact: acl_rules: "{{ acl_rules + ip_allow_rule }}" -- name: Set IP block rule - when: cf_acl.ip_block is defined +- name: Set country block rule + when: acl.cc_block_list is defined block: - - name: Create IP block set for WAF - community.aws.wafv2_ip_set: - name: "{{ cf_acl.ip_block.name }}" - state: present - description: Set of blocked IPs - scope: "{{ cf_acl.scope }}" - region: "{{ cf_acl.region }}" - ip_address_version: IPV4 - addresses: "{{ cf_acl.ip_block.list }}" - register: ip_set_info - - - name: Create IP block rule + - name: Create country block rule ansible.builtin.set_fact: - ip_block_rule: + cc_block_rule: - name: block_countries - priority: 1 + priority: 2 action: block: {} visibility_config: @@ -62,25 +84,21 @@ metric_name: block_countries statement: geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated - country_codes: "{{ cf_acl.cc_block_list }}" + country_codes: "{{ acl.cc_block_list }}" - name: Add rule to list ansible.builtin.set_fact: - acl_rules: "{{ acl_rules + ip_block_rule}}" + acl_rules: "{{ acl_rules + cc_block_rule }}" # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) - name: Set rate limit variable when: rate_limit is defined block: - - name: Define r_limit to avoid issues - ansible.builtin.set_fact: - r_limit: "{{ rate_limit | int }}" - - name: Define rate rule ansible.builtin.set_fact: rate_rule: - name: rate_limit - priority: 2 + priority: 3 action: block: {} visibility_config: @@ -98,10 +116,10 @@ - name: Create web acl community.aws.wafv2_web_acl: - name: "{{ cf_acl.acl_name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + name: "{{ acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "WAF protecting the {{ _domain_name }}" - scope: "{{ cf_acl.scope }}" - region: "{{ cf_acl.region }}" + scope: "{{ acl.scope }}" + region: "{{ acl.region }}" default_action: Allow # or "Block" sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 4e03c4069..fa1fb91c3 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -1,7 +1,8 @@ --- - name: Create web acl if defined - ansible.builtin.include_tasks: create_acl.yml - when: cf_acl is defined + ansible.builtin.include_role: + name: aws/acl + when: acl is defined - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: From 56eb829ca7a32227785965a3e4a37291b534fd91 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 11 Mar 2024 17:26:58 +0100 Subject: [PATCH 076/331] Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. --- roles/debian/postfix/templates/main.cf.j2 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 index 4021d5b45..e79389db4 100644 --- a/roles/debian/postfix/templates/main.cf.j2 +++ b/roles/debian/postfix/templates/main.cf.j2 @@ -41,16 +41,16 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd {% if postfix.use_ses or postfix.ssl.enabled %} smtp_use_tls = yes smtp_tls_note_starttls_offer = yes -smtp_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} -smtp_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} +smtp_tls_CApath = {{ postfix.ssl.smtp_tls_CApath }} +smtp_tls_CAfile = {{ postfix.ssl.smtp_tls_CAfile }} {% endif %} {% if postfix.ssl.enabled %} -smtp_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} -smtp_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} -smtpd_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }} -smtpd_tls_key_file = {{ postix.ssl.smtp_tls_key_file }} -smtpd_tls_CApath = {{ postix.ssl.smtp_tls_CApath }} -smtpd_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }} +smtp_tls_cert_file = {{ postfix.ssl.smtp_tls_cert_file }} +smtp_tls_key_file = {{ postfix.ssl.smtp_tls_key_file }} +smtpd_tls_cert_file = {{ postfix.ssl.smtp_tls_cert_file }} +smtpd_tls_key_file = {{ postfix.ssl.smtp_tls_key_file }} +smtpd_tls_CApath = {{ postfix.ssl.smtp_tls_CApath }} +smtpd_tls_CAfile = {{ postfix.ssl.smtp_tls_CAfile }} {% endif %} {% if (is_local is defined) and is_local %} # Force all mail to ce-dev user. From 0f45c51501f3680c52a02a6a2cee642be2c3b9de Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 12 Mar 2024 11:19:50 +0100 Subject: [PATCH 077/331] Changing-LE-default-vhost (#1500) --- roles/debian/nginx/templates/vhost_letsencrypt.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index b3f85d544..72a5cdd45 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -1,7 +1,7 @@ ### {{ ansible_managed }} server { - listen 80; + listen 443; server_name {{ domain.server_name }}; error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; From 770028cda8334d5d7424b62ccf0aa4a09d577c3d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Mar 2024 13:10:14 +0100 Subject: [PATCH 078/331] Handling allowing client config template for ovpn to have an FQDN. (#1502) --- docs/roles/debian/openvpn.md | 1 + roles/debian/openvpn/README.md | 1 + roles/debian/openvpn/defaults/main.yml | 1 + roles/debian/openvpn/tasks/main.yml | 10 ++++++++++ 4 files changed, 13 insertions(+) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 54fa885b6..0d4529d9d 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -20,6 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 54fa885b6..0d4529d9d 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -20,6 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 21ad4bc44..66287ae08 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -1,6 +1,7 @@ --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 4943530c0..db9c44ee0 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -168,6 +168,16 @@ mode: '0644' when: openvpn.tls_cipher | length > 0 +- name: Use FQDN as OpenVPN server remote in client config. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + regexp: '^remote (.*) 1194$' + line: "remote {{ openvpn.fqdn }}" + owner: root + group: root + mode: '0644' + when: openvpn.fqdn | length > 0 + - name: Allow FQDN push routes. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt From 8de80abdcb94c6179dd019df239b7308de989224 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Mar 2024 13:20:57 +0100 Subject: [PATCH 079/331] Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. --- roles/debian/openvpn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index db9c44ee0..6c8c19c3e 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -171,7 +171,7 @@ - name: Use FQDN as OpenVPN server remote in client config. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt - regexp: '^remote (.*) 1194$' + regexp: '^remote (.*)' line: "remote {{ openvpn.fqdn }}" owner: root group: root From dd414608eada37cdeab12e33ed3807c6886b2684 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 12 Mar 2024 17:30:19 +0100 Subject: [PATCH 080/331] Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. --- docs/roles/debian/openvpn.md | 2 +- roles/debian/openvpn/README.md | 2 +- roles/debian/openvpn/defaults/main.yml | 2 +- roles/debian/openvpn/tasks/main.yml | 5 +++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 0d4529d9d..7acf4980b 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -20,7 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 0d4529d9d..7acf4980b 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -20,7 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 66287ae08..919dbe884 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -1,7 +1,7 @@ --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 6c8c19c3e..6f46d5286 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -168,11 +168,12 @@ mode: '0644' when: openvpn.tls_cipher | length > 0 +# Only works when openvpn.port_choice == '1' because otherwise port will not be 1194 and regexp will not match - name: Use FQDN as OpenVPN server remote in client config. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt - regexp: '^remote (.*)' - line: "remote {{ openvpn.fqdn }}" + regexp: '^remote (.*) 1194' + line: "remote {{ openvpn.fqdn }} 1194" owner: root group: root mode: '0644' From e1fa4a08e9d97724741a2f78407e1eea977b1b91 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 13 Mar 2024 16:54:40 +0100 Subject: [PATCH 081/331] Adding volume handling options for Packer. (#1508) --- roles/aws/aws_ami/defaults/main.yml | 4 ++++ roles/aws/aws_ami/templates/packer.json.j2 | 8 ++++++++ roles/debian/mount_sync/README.md | 5 +++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index 9a0d64566..0316a1b2a 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -10,6 +10,10 @@ aws_ami: owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" encrypt_boot: false + # EBS volume options + device_name: /dev/xvda # default for Debian AMIs + volume_type: gp3 + volume_size: 20 #vpc_filter: "example" # If defined, Packer will search for a VPC with the `Name` tag of the value given. vpc_id takes precednece over this if both are defined. This also assumes the VPC is not the default and has a CIDR block of /16. vpc_filter: "" #subnet_filter_az: "a" # If vpc_id and/or vpc_filter are defined, subnet_filter_az MUST be defined and must match an AZ that has public networking. diff --git a/roles/aws/aws_ami/templates/packer.json.j2 b/roles/aws/aws_ami/templates/packer.json.j2 index 24dcf20ab..84e01c1dd 100755 --- a/roles/aws/aws_ami/templates/packer.json.j2 +++ b/roles/aws/aws_ami/templates/packer.json.j2 @@ -14,6 +14,14 @@ "ami_name": "{{ aws_ami.ami_name }}", "associate_public_ip_address": true, "encrypt_boot": "{{ aws_ami.encrypt_boot }}", + "launch_block_device_mappings": [ + { + "device_name": "{{ aws_ami.device_name }}", + "volume_type": "{{ aws_ami.volume_type }}", + "volume_size": {{ aws_ami.volume_size }}, + "delete_on_termination": true + } + ] "source_ami_filter": { "filters": { "virtualization-type": "{{ aws_ami.virtualization_type }}", diff --git a/roles/debian/mount_sync/README.md b/roles/debian/mount_sync/README.md index 50d1475ca..56a828ddc 100644 --- a/roles/debian/mount_sync/README.md +++ b/roles/debian/mount_sync/README.md @@ -5,8 +5,9 @@ It will: - perform an initial rsync using a cloud-init script - use Unison to perform regular checks (mostly to catch edge-cases where an instance would be spinned up during the middle of a deployment) - - + + + ## Default variables From 0f84dc0314403dbfa22c260d9de0eb5759be1d15 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 13 Mar 2024 17:26:32 +0100 Subject: [PATCH 082/331] Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. --- docs/roles/aws/aws_ami.md | 4 ++++ docs/roles/debian/mount_sync.md | 5 +++-- roles/aws/aws_ami/README.md | 4 ++++ roles/aws/aws_ami/templates/packer.json.j2 | 2 +- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/roles/aws/aws_ami.md b/docs/roles/aws/aws_ami.md index c28fde556..2d53374d7 100644 --- a/docs/roles/aws/aws_ami.md +++ b/docs/roles/aws/aws_ami.md @@ -30,6 +30,10 @@ aws_ami: owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" encrypt_boot: false + # EBS volume options + device_name: /dev/xvda # default for Debian AMIs + volume_type: gp3 + volume_size: 20 #vpc_filter: "example" # If defined, Packer will search for a VPC with the `Name` tag of the value given. vpc_id takes precednece over this if both are defined. This also assumes the VPC is not the default and has a CIDR block of /16. vpc_filter: "" #subnet_filter_az: "a" # If vpc_id and/or vpc_filter are defined, subnet_filter_az MUST be defined and must match an AZ that has public networking. diff --git a/docs/roles/debian/mount_sync.md b/docs/roles/debian/mount_sync.md index 50d1475ca..56a828ddc 100644 --- a/docs/roles/debian/mount_sync.md +++ b/docs/roles/debian/mount_sync.md @@ -5,8 +5,9 @@ It will: - perform an initial rsync using a cloud-init script - use Unison to perform regular checks (mostly to catch edge-cases where an instance would be spinned up during the middle of a deployment) - - + + + ## Default variables diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index c28fde556..2d53374d7 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -30,6 +30,10 @@ aws_ami: owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" encrypt_boot: false + # EBS volume options + device_name: /dev/xvda # default for Debian AMIs + volume_type: gp3 + volume_size: 20 #vpc_filter: "example" # If defined, Packer will search for a VPC with the `Name` tag of the value given. vpc_id takes precednece over this if both are defined. This also assumes the VPC is not the default and has a CIDR block of /16. vpc_filter: "" #subnet_filter_az: "a" # If vpc_id and/or vpc_filter are defined, subnet_filter_az MUST be defined and must match an AZ that has public networking. diff --git a/roles/aws/aws_ami/templates/packer.json.j2 b/roles/aws/aws_ami/templates/packer.json.j2 index 84e01c1dd..5efd118b6 100755 --- a/roles/aws/aws_ami/templates/packer.json.j2 +++ b/roles/aws/aws_ami/templates/packer.json.j2 @@ -21,7 +21,7 @@ "volume_size": {{ aws_ami.volume_size }}, "delete_on_termination": true } - ] + ], "source_ami_filter": { "filters": { "virtualization-type": "{{ aws_ami.virtualization_type }}", From 105e497b4df8a729da9248ce2f1f634f13efb8fc Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 14 Mar 2024 12:06:55 +0100 Subject: [PATCH 083/331] Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs --- docs/roles/debian/apache.md | 1 + docs/roles/debian/ldap_server.md | 1 + docs/roles/debian/nginx.md | 1 + docs/roles/debian/ossec.md | 1 + roles/debian/apache/README.md | 1 + roles/debian/apache/defaults/main.yml | 1 + roles/debian/jenkins/tasks/main.yml | 1 + roles/debian/ldap_server/README.md | 1 + roles/debian/ldap_server/defaults/main.yml | 1 + roles/debian/nginx/README.md | 1 + roles/debian/nginx/defaults/main.yml | 1 + roles/debian/ossec/README.md | 1 + roles/debian/ossec/defaults/main.yml | 1 + 13 files changed, 13 insertions(+) diff --git a/docs/roles/debian/apache.md b/docs/roles/debian/apache.md index c39087ef8..3902bfdab 100644 --- a/docs/roles/debian/apache.md +++ b/docs/roles/debian/apache.md @@ -51,6 +51,7 @@ apache: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domain: "{{ _domain_name }}" handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: diff --git a/docs/roles/debian/ldap_server.md b/docs/roles/debian/ldap_server.md index 6514e4779..2bcd0b378 100644 --- a/docs/roles/debian/ldap_server.md +++ b/docs/roles/debian/ldap_server.md @@ -90,6 +90,7 @@ ldap_server: # olcTLSCertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/cert.pem # olcTLSCertificateKeyFile: /etc/letsencrypt/live/{{ _domain_name }}/privkey.pem ssl: # @see the 'ssl' role - does nothing by default. + replace_existing: false domain: "{{ _domain_name }}" handling: "unmanaged" key: "" diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index d9ff961ff..340ef09da 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -53,6 +53,7 @@ nginx: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domains: - "{{ _domain_name }}" handling: selfsigned diff --git a/docs/roles/debian/ossec.md b/docs/roles/debian/ossec.md index 6126a0907..30d418e5d 100644 --- a/docs/roles/debian/ossec.md +++ b/docs/roles/debian/ossec.md @@ -34,6 +34,7 @@ ossec: ssl: domain: "ossec.example.com" handling: "selfsigned" + replace_existing: false syscheck: frequency: 79200 diff --git a/roles/debian/apache/README.md b/roles/debian/apache/README.md index c39087ef8..3902bfdab 100644 --- a/roles/debian/apache/README.md +++ b/roles/debian/apache/README.md @@ -51,6 +51,7 @@ apache: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domain: "{{ _domain_name }}" handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: diff --git a/roles/debian/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml index 0b187f183..b6705c0e4 100644 --- a/roles/debian/apache/defaults/main.yml +++ b/roles/debian/apache/defaults/main.yml @@ -41,6 +41,7 @@ apache: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domain: "{{ _domain_name }}" handling: selfsigned # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing: diff --git a/roles/debian/jenkins/tasks/main.yml b/roles/debian/jenkins/tasks/main.yml index a14ae2f7b..6262d4478 100644 --- a/roles/debian/jenkins/tasks/main.yml +++ b/roles/debian/jenkins/tasks/main.yml @@ -21,6 +21,7 @@ name: debian/ssl vars: ssl: + replace_existing: false domain: "{{ jenkins.server_name }}" services: [] diff --git a/roles/debian/ldap_server/README.md b/roles/debian/ldap_server/README.md index 6514e4779..2bcd0b378 100644 --- a/roles/debian/ldap_server/README.md +++ b/roles/debian/ldap_server/README.md @@ -90,6 +90,7 @@ ldap_server: # olcTLSCertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/cert.pem # olcTLSCertificateKeyFile: /etc/letsencrypt/live/{{ _domain_name }}/privkey.pem ssl: # @see the 'ssl' role - does nothing by default. + replace_existing: false domain: "{{ _domain_name }}" handling: "unmanaged" key: "" diff --git a/roles/debian/ldap_server/defaults/main.yml b/roles/debian/ldap_server/defaults/main.yml index 8178688a0..249fff7ec 100644 --- a/roles/debian/ldap_server/defaults/main.yml +++ b/roles/debian/ldap_server/defaults/main.yml @@ -24,6 +24,7 @@ ldap_server: # olcTLSCertificateFile: /etc/letsencrypt/live/{{ _domain_name }}/cert.pem # olcTLSCertificateKeyFile: /etc/letsencrypt/live/{{ _domain_name }}/privkey.pem ssl: # @see the 'ssl' role - does nothing by default. + replace_existing: false domain: "{{ _domain_name }}" handling: "unmanaged" key: "" diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index d9ff961ff..340ef09da 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -53,6 +53,7 @@ nginx: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domains: - "{{ _domain_name }}" handling: selfsigned diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 4b8ba307d..9d0620e92 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -41,6 +41,7 @@ nginx: webroot: "/var/www/html" project_type: "flat" ssl: # @see the 'ssl' role. + replace_existing: false domains: - "{{ _domain_name }}" handling: selfsigned diff --git a/roles/debian/ossec/README.md b/roles/debian/ossec/README.md index 6126a0907..30d418e5d 100644 --- a/roles/debian/ossec/README.md +++ b/roles/debian/ossec/README.md @@ -34,6 +34,7 @@ ossec: ssl: domain: "ossec.example.com" handling: "selfsigned" + replace_existing: false syscheck: frequency: 79200 diff --git a/roles/debian/ossec/defaults/main.yml b/roles/debian/ossec/defaults/main.yml index b60a9c15a..5c8c681c8 100644 --- a/roles/debian/ossec/defaults/main.yml +++ b/roles/debian/ossec/defaults/main.yml @@ -26,6 +26,7 @@ ossec: ssl: domain: "ossec.example.com" handling: "selfsigned" + replace_existing: false syscheck: frequency: 79200 From 3b44d08b157ca4d0799b8fc9475fc085f9212cb2 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:06:38 +0100 Subject: [PATCH 084/331] Fixing-ldap-role-ssl-task (#1514) --- roles/debian/ldap_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index a802561b1..55e2d9999 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -190,4 +190,4 @@ slapd_backups: timer_command: "/usr/local/bin/slap-bak && find /opt/slap-bak/ -type f -mtime +60 -print0 | xargs -0 -r rm" timer_OnCalendar: "{{ ldap_server.config.on_calendar }}" - when: ssl.autorenew + when: ldap_server.config.backup From af02c20d56301274807fb298b42d6835243177e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 14 Mar 2024 15:24:00 +0100 Subject: [PATCH 085/331] r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar --- roles/aws/{acl => aws_acl}/defaults/main.yml | 2 +- roles/aws/{acl => aws_acl}/tasks/main.yml | 65 +++++++++++-------- .../tasks/main.yml | 8 ++- roles/aws/aws_elb/tasks/main.yml | 7 ++ 4 files changed, 50 insertions(+), 32 deletions(-) rename roles/aws/{acl => aws_acl}/defaults/main.yml (98%) rename roles/aws/{acl => aws_acl}/tasks/main.yml (67%) diff --git a/roles/aws/acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml similarity index 98% rename from roles/aws/acl/defaults/main.yml rename to roles/aws/aws_acl/defaults/main.yml index c1c2e0c3a..8845df2d6 100644 --- a/roles/aws/acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,6 +1,6 @@ --- rate_limit: 200 -acl: +aws_acl: name: "dummy_master_acl" scope: "CLOUDFRONT" # Can be "REGIONAL" for ALBs region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped diff --git a/roles/aws/acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml similarity index 67% rename from roles/aws/acl/tasks/main.yml rename to roles/aws/aws_acl/tasks/main.yml index 8bf6efb80..43ca97338 100644 --- a/roles/aws/acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,25 +1,25 @@ - name: Define dict for rules ansible.builtin.set_fact: - acl_rules: [] + _acl_rules: [] - name: Set IP block rule - when: acl.ip_block is defined + when: aws_acl.ip_block is defined block: - name: Create IP block set for WAF community.aws.wafv2_ip_set: - name: "{{ acl.ip_block.name }}" + name: "{{ aws_acl.ip_block.name }}" state: present description: Set of blocked IPs - scope: "{{ acl.scope }}" - region: "{{ acl.region }}" + scope: "{{ aws_acl.scope }}" + region: "{{ aws_acl.region }}" ip_address_version: IPV4 - addresses: "{{ acl.ip_block.list }}" - register: ip_set_info + addresses: "{{ aws_acl.ip_block.list }}" + register: _ip_set_info - name: Create IP block rule ansible.builtin.set_fact: ip_block_rule: - - name: "{{ acl.ip_block.name }}" + - name: "{{ aws_acl.ip_block.name }}" priority: 0 action: block: {} @@ -29,30 +29,30 @@ metric_name: Block_IPs statement: ip_set_reference_statement: - arn: "{{ ip_set_info.arn }}" + arn: "{{ _ip_set_info.arn }}" - name: Add rule to list ansible.builtin.set_fact: - acl_rules: "{{ acl_rules + ip_block_rule }}" + _acl_rules: "{{ _acl_rules + ip_block_rule }}" - name: Set IP allow rule - when: acl.ip_allow is defined + when: aws_acl.ip_allow is defined block: - name: Create IP allow set for WAF community.aws.wafv2_ip_set: - name: "{{ acl.ip_allow.name }}" + name: "{{ aws_acl.ip_allow.name }}" state: present description: Set of allowed IPs - scope: "{{ acl.scope }}" - region: "{{ acl.region }}" + scope: "{{ aws_acl.scope }}" + region: "{{ aws_acl.region }}" ip_address_version: IPV4 - addresses: "{{ acl.ip_allow.list }}" - register: ip_set_info + addresses: "{{ aws_acl.ip_allow.list }}" + register: _ip_set_info - name: Create IP allow rule ansible.builtin.set_fact: ip_allow_rule: - - name: "{{ acl.ip_allow.name }}" + - name: "{{ aws_acl.ip_allow.name }}" priority: 1 action: allow: {} @@ -62,14 +62,14 @@ metric_name: Allow_IPs statement: ip_set_reference_statement: - arn: "{{ ip_set_info.arn }}" + arn: "{{ _ip_set_info.arn }}" - name: Add rule to list ansible.builtin.set_fact: - acl_rules: "{{ acl_rules + ip_allow_rule }}" + _acl_rules: "{{ _acl_rules + ip_allow_rule }}" - name: Set country block rule - when: acl.cc_block_list is defined + when: aws_acl.cc_block_list is defined block: - name: Create country block rule ansible.builtin.set_fact: @@ -84,11 +84,11 @@ metric_name: block_countries statement: geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated - country_codes: "{{ acl.cc_block_list }}" + country_codes: "{{ aws_acl.cc_block_list }}" - name: Add rule to list ansible.builtin.set_fact: - acl_rules: "{{ acl_rules + cc_block_rule }}" + _acl_rules: "{{ _acl_rules + cc_block_rule }}" # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) - name: Set rate limit variable @@ -112,22 +112,31 @@ - name: Add rule to list ansible.builtin.set_fact: - acl_rules: "{{ acl_rules + rate_rule}}" + _acl_rules: "{{ _acl_rules + rate_rule}}" - name: Create web acl community.aws.wafv2_web_acl: - name: "{{ acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "WAF protecting the {{ _domain_name }}" - scope: "{{ acl.scope }}" - region: "{{ acl.region }}" + scope: "{{ aws_acl.scope }}" + region: "{{ aws_acl.region }}" default_action: Allow # or "Block" sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) - rules: "{{ acl_rules }}" + rules: "{{ _acl_rules }}" purge_rules: true # tags: # A: B # C: D state: present - register: created_acl \ No newline at end of file + register: _created_acl + +- name: Add WAF to ALB + community.aws.wafv2_resources: + name: "{{ aws_acl.name }}" + scope: REGIONAL + state: present + region: "{{ aws_acl.region }}" + arn: "{{ _aws_ec2_elb.load_balancer_arn }}" + when: _aws_ec2_elb is defined diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index fa1fb91c3..49b0ea331 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -1,8 +1,10 @@ --- - name: Create web acl if defined ansible.builtin.include_role: - name: aws/acl - when: acl is defined + name: aws/aws_acl + when: + - aws_acl is defined + - aws_acl.scope == 'CLOUDFRONT' - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: @@ -12,7 +14,7 @@ state: "{{ aws_cloudfront_distribution.state }}" aliases: "{{ aws_cloudfront_distribution.aliases }}" origins: "{{ aws_cloudfront_distribution.origins }}" - web_acl_id: "{{ created_acl.arn | default(omit) }}" + web_acl_id: "{{ _created_acl.arn | default(omit) }}" default_cache_behavior: "{{ aws_cloudfront_distribution.default_cache_behavior }}" cache_behaviors: "{{ aws_cloudfront_distribution.cache_behaviors }}" validate_certs: "{{ aws_cloudfront_distribution.validate_certs }}" diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index a47f372ad..0e3408645 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -135,6 +135,13 @@ register: _aws_ec2_elb when: aws_elb.elb_type == "alb" +- name: Create web acl if defined + ansible.builtin.include_role: + name: aws/aws_acl + when: + - aws_acl is defined + - aws_acl.scope == 'REGIONAL' + - name: Get ALB listener ARN for port 443. ansible.builtin.set_fact: _aws_ec2_elb_listener_ARN: "{{ item.listener_arn }}" From b6adbc61f34d376797f6de829f3e1cd957ffaf3d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 14 Mar 2024 19:05:36 +0100 Subject: [PATCH 086/331] Changing import_role to include_vars for vars only Wazuh roles. (#1524) --- roles/debian/wazuh/tasks/main.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 1b081b56a..6a4ba793d 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -1,10 +1,11 @@ -- name: Import elastic-stack. - ansible.builtin.import_role: - name: "contrib/{{ wazuh.path }}/roles/elastic-stack/ansible-kibana" +--- +- name: Load elastic-stack variables. + ansible.builtin.include_vars: + file: "/home/{{ user_provision.username }}/ce-provision/roles/contrib/{{ wazuh.path }}/roles/elastic-stack/ansible-kibana/defaults/main.yml" -- name: Import opendistro. - ansible.builtin.import_role: - name: "contrib/{{ wazuh.path }}/roles/opendistro/opendistro-kibana" +- name: Load opendistro variables. + ansible.builtin.include_vars: + file: "/home/{{ user_provision.username }}/ce-provision/roles/contrib/{{ wazuh.path }}/roles/opendistro/opendistro-kibana/defaults/main.yml" - name: Generate certificates. ansible.builtin.import_role: From 68c9e8dcf52cb3bd2234980fff8c55fc71fb44b4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 14 Mar 2024 20:04:36 +0100 Subject: [PATCH 087/331] Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. --- roles/debian/wazuh/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 4ea2fafc0..585384511 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -29,7 +29,7 @@ wazuh: indexer: install: false # install the indexer packages single_node: true - domain_name: "{{ _domain_name }}" + domain_name: indexer.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults indexer_cluster_name: wazuh indexer_node_name: node-1 # this server name indexer_network_host: 127.0.0.1 @@ -143,7 +143,7 @@ wazuh: dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "443" # if you want to use provided SSL certificates install a web server and proxy to Wazuh - dashboard_server_name: "{{ _domain_name }}" + dashboard_server_name: dashboard.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults dashboard_conf_path: "/etc/wazuh-dashboard/" wazuh_api_credentials: - id: "default" From 1e13a87099fa7dd9540b8403e631cb39cf415654 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 15 Mar 2024 14:13:30 +0100 Subject: [PATCH 088/331] Adding cipher to client template and fixing default push route. (#1528) --- roles/debian/openvpn/tasks/main.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 6f46d5286..ec382265f 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -58,7 +58,7 @@ when: openvpn.ipv4_settings | length > 0 notify: Restart OpenVPN. -- name: Replace OpenVPN cipher. +- name: Replace OpenVPN cipher on the server. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf search_string: 'cipher AES-128-GCM' @@ -68,7 +68,7 @@ mode: '0644' when: openvpn.cipher | length > 0 -- name: Replace OpenVPN ncp-ciphers. +- name: Replace OpenVPN ncp-ciphers on the server. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf search_string: 'ncp-ciphers AES-128-GCM' @@ -80,6 +80,16 @@ notify: Restart OpenVPN. # Push routes +- name: Remove default push-route. + ansible.builtin.lineinfile: + path: /etc/openvpn/server.conf + search_string: 'redirect-gateway' + state: absent + owner: root + group: root + mode: '0644' + when: openvpn.push_routes_ipv4 | length > 0 + - name: Add ipv4 push routes comment for readability. ansible.builtin.lineinfile: path: /etc/openvpn/server.conf @@ -168,6 +178,16 @@ mode: '0644' when: openvpn.tls_cipher | length > 0 +- name: Replace OpenVPN client cipher. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + search_string: 'cipher AES-128-GCM' + line: "cipher {{ openvpn.cipher }}" + owner: root + group: root + mode: '0644' + when: openvpn.cipher | length > 0 + # Only works when openvpn.port_choice == '1' because otherwise port will not be 1194 and regexp will not match - name: Use FQDN as OpenVPN server remote in client config. ansible.builtin.lineinfile: From 14cd9508a7555098b339a60ea758295a6b2c0512 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:03:21 +0100 Subject: [PATCH 089/331] Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line --- docs/roles/debian/mysql_server_oracle_ce.md | 2 +- docs/roles/debian/wazuh.md | 4 ++-- roles/debian/mysql_server_oracle_ce/README.md | 2 +- roles/debian/mysql_server_oracle_ce/defaults/main.yml | 2 +- roles/debian/wazuh/README.md | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/roles/debian/mysql_server_oracle_ce.md b/docs/roles/debian/mysql_server_oracle_ce.md index b081b2498..7ee28b24d 100644 --- a/docs/roles/debian/mysql_server_oracle_ce.md +++ b/docs/roles/debian/mysql_server_oracle_ce.md @@ -10,7 +10,7 @@ Installs MySQL Server 5.7. --- mysql_long_query_time: 4 mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: pgp.mit.edu +mysql_server_oracle_ce_key_server: keyserver.ubuntu.com ``` diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index f6efaa7ca..bd4afb89b 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -40,7 +40,7 @@ wazuh: indexer: install: false # install the indexer packages single_node: true - domain_name: "{{ _domain_name }}" + domain_name: indexer.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults indexer_cluster_name: wazuh indexer_node_name: node-1 # this server name indexer_network_host: 127.0.0.1 @@ -154,7 +154,7 @@ wazuh: dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "443" # if you want to use provided SSL certificates install a web server and proxy to Wazuh - dashboard_server_name: "{{ _domain_name }}" + dashboard_server_name: dashboard.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults dashboard_conf_path: "/etc/wazuh-dashboard/" wazuh_api_credentials: - id: "default" diff --git a/roles/debian/mysql_server_oracle_ce/README.md b/roles/debian/mysql_server_oracle_ce/README.md index b081b2498..7ee28b24d 100644 --- a/roles/debian/mysql_server_oracle_ce/README.md +++ b/roles/debian/mysql_server_oracle_ce/README.md @@ -10,7 +10,7 @@ Installs MySQL Server 5.7. --- mysql_long_query_time: 4 mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: pgp.mit.edu +mysql_server_oracle_ce_key_server: keyserver.ubuntu.com ``` diff --git a/roles/debian/mysql_server_oracle_ce/defaults/main.yml b/roles/debian/mysql_server_oracle_ce/defaults/main.yml index 67c066cf6..e2c7fac86 100644 --- a/roles/debian/mysql_server_oracle_ce/defaults/main.yml +++ b/roles/debian/mysql_server_oracle_ce/defaults/main.yml @@ -1,4 +1,4 @@ --- mysql_long_query_time: 4 mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: pgp.mit.edu \ No newline at end of file +mysql_server_oracle_ce_key_server: keyserver.ubuntu.com diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index f6efaa7ca..bd4afb89b 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -40,7 +40,7 @@ wazuh: indexer: install: false # install the indexer packages single_node: true - domain_name: "{{ _domain_name }}" + domain_name: indexer.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults indexer_cluster_name: wazuh indexer_node_name: node-1 # this server name indexer_network_host: 127.0.0.1 @@ -154,7 +154,7 @@ wazuh: dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "443" # if you want to use provided SSL certificates install a web server and proxy to Wazuh - dashboard_server_name: "{{ _domain_name }}" + dashboard_server_name: dashboard.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults dashboard_conf_path: "/etc/wazuh-dashboard/" wazuh_api_credentials: - id: "default" From e51924684bf4d38c9a6a3d15195db9a05207ffb8 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:48:01 +0100 Subject: [PATCH 090/331] Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting --- roles/debian/mysql_server_oracle_ce/tasks/main.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 18f5b1862..5ada735b3 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -1,20 +1,17 @@ --- #@todo Configuration is for dev. -- name: Add repository key for MySQL repository. - ansible.builtin.apt_key: - keyserver: "{{ mysql_server_oracle_ce_key_server }}" - id: "{{ mysql_server_oracle_ce_key }}" - state: present +- name: Add repository key for MySQL repository using wget and apt-key + ansible.builtin.shell: "set -o pipefail && wget -q -O - https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 | apt-key add -" - name: Add repository for MySQL. ansible.builtin.apt_repository: - repo: "deb http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-5.7" + repo: "deb http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-8.0" state: present - name: Add source repository for MySQL. ansible.builtin.apt_repository: - repo: "deb-src http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-5.7" + repo: "deb-src http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-8.0" state: present - name: Pin MySQL packages. From ee3723a73cf7a5c15ff05a7c4b0334b691997bb1 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:26:45 +0100 Subject: [PATCH 091/331] Fixing-broken-mysql-role (#1536) --- roles/debian/mysql_server_oracle_ce/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 5ada735b3..46919421b 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -3,6 +3,8 @@ - name: Add repository key for MySQL repository using wget and apt-key ansible.builtin.shell: "set -o pipefail && wget -q -O - https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 | apt-key add -" + args: + executable: /bin/bash - name: Add repository for MySQL. ansible.builtin.apt_repository: From a60f90c4cacdfea4aef75decf27c22c7782369ea Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 27 Mar 2024 19:14:04 +0200 Subject: [PATCH 092/331] R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks --- roles/debian/nginx/defaults/main.yml | 1 + roles/debian/nginx/tasks/main.yml | 1 + .../nginx/templates/_common_cloudfront.j2 | 11 +++++++++++ roles/debian/nginx/templates/nginx.conf.j2 | 19 +++---------------- roles/debian/nginx/templates/vhosts.j2 | 4 ++++ 5 files changed, 20 insertions(+), 16 deletions(-) create mode 100644 roles/debian/nginx/templates/_common_cloudfront.j2 diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 9d0620e92..f5288d2e1 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -60,6 +60,7 @@ nginx: # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true + is_behind_cloudfront: false # set to true to disable gzip. basic_auth: auth_enabled: false auth_file: "" # optionally provide the path on the deploy server to a htpasswd file - WARNING - it must be valid and will not be checked! diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 23f8d1e4c..2fe6d8f68 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -52,6 +52,7 @@ force: true with_items: - _common + - _common_cloudfront - custom - docker_registry - drupal_common diff --git a/roles/debian/nginx/templates/_common_cloudfront.j2 b/roles/debian/nginx/templates/_common_cloudfront.j2 new file mode 100644 index 000000000..d3f395088 --- /dev/null +++ b/roles/debian/nginx/templates/_common_cloudfront.j2 @@ -0,0 +1,11 @@ +### {{ ansible_managed }} + +gzip off; +proxy_buffer_size 512k; +proxy_buffers 8 256k; +client_body_buffer_size 512k; +fastcgi_buffer_size 512k ; +fastcgi_buffers 8 256k ; +client_max_body_size {{ nginx.client_max_body_size }} ; +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; \ No newline at end of file diff --git a/roles/debian/nginx/templates/nginx.conf.j2 b/roles/debian/nginx/templates/nginx.conf.j2 index dd73311ea..251e0dff5 100644 --- a/roles/debian/nginx/templates/nginx.conf.j2 +++ b/roles/debian/nginx/templates/nginx.conf.j2 @@ -23,11 +23,11 @@ http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" $request_length $body_bytes_sent'; + '"$http_user_agent" $request_length'; log_format proxy '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" $request_length $body_bytes_sent'; + '"$http_user_agent" $request_length'; server_names_hash_bucket_size {{ nginx.http.server_names_hash_bucket_size }}; # server_name_in_redirect off; @@ -50,22 +50,9 @@ http { error_log {{ nginx.http.error_log }}; ## - # Gzip Settings + # Additional Settings ## - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Additional Settings - ## - {% if nginx.http.custom_directives is defined %} {% for directive in nginx.http.custom_directives %} {{ directive }} diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 index 9cf7b514a..d16b3df96 100644 --- a/roles/debian/nginx/templates/vhosts.j2 +++ b/roles/debian/nginx/templates/vhosts.j2 @@ -28,7 +28,11 @@ server { access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; root "{{ domain.webroot }}"; include "/etc/nginx/conf.d/{{ domain.project_type }}"; +{% if domain.is_behind_cloudfront is defined and domain.is_behind_cloudfront %} + include "/etc/nginx/conf.d/_common_cloudfront"; +{% else %} include "/etc/nginx/conf.d/_common"; +{% endif %} {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %} {% if domain.ssl.web_server | default('standalone') == 'standalone' %} # Proxy for certbot (LetsEncrypt) From 2470f043cb2cdc0876eaaa69d5fa9181e4d6695e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 27 Mar 2024 18:55:38 +0100 Subject: [PATCH 093/331] Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. --- docs/roles/debian/duplicity.md | 7 ++- docs/roles/debian/mysql_server_oracle_ce.md | 1 + roles/debian/ansible/tasks/main.yml | 6 +++ roles/debian/ce_provision/tasks/main.yml | 2 + roles/debian/duplicity/README.md | 7 ++- roles/debian/duplicity/defaults/main.yml | 7 ++- roles/debian/duplicity/meta/main.yml | 3 -- roles/debian/duplicity/tasks/main.yml | 50 ++++++++++++++++--- .../templates/duplicity_backup-b2.j2 | 4 +- .../templates/duplicity_backup-s3.j2 | 4 +- .../duplicity/templates/duplicity_clean-b2.j2 | 2 +- .../duplicity/templates/duplicity_clean-s3.j2 | 2 +- .../templates/duplicity_restore-b2.j2 | 2 +- .../templates/duplicity_restore-s3.j2 | 2 +- roles/debian/ldap_server/tasks/main.yml | 9 +--- roles/debian/mysql_client/tasks/main.yml | 9 +--- roles/debian/mysql_server_oracle_ce/README.md | 1 + roles/debian/nginx/tasks/main.yml | 9 +--- roles/debian/python_boto/tasks/main.yml | 2 + 19 files changed, 84 insertions(+), 45 deletions(-) delete mode 100644 roles/debian/duplicity/meta/main.yml diff --git a/docs/roles/debian/duplicity.md b/docs/roles/debian/duplicity.md index 9186201ed..7e4911527 100644 --- a/docs/roles/debian/duplicity.md +++ b/docs/roles/debian/duplicity.md @@ -9,11 +9,16 @@ Role to install and configure [the Duplicity backup engine](https://duplicity.us ```yaml --- duplicity: + # Location of Duplicity installation and components. + venv_path: "/home/{{ user_provision.username }}/duplicity" + venv_command: /usr/bin/python3 -m venv + install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" backend_url: "s3-eu-west-1.amazonaws.com" - s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options + s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: - name: "/boot" diff --git a/docs/roles/debian/mysql_server_oracle_ce.md b/docs/roles/debian/mysql_server_oracle_ce.md index 7ee28b24d..38ce85292 100644 --- a/docs/roles/debian/mysql_server_oracle_ce.md +++ b/docs/roles/debian/mysql_server_oracle_ce.md @@ -11,6 +11,7 @@ Installs MySQL Server 5.7. mysql_long_query_time: 4 mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html mysql_server_oracle_ce_key_server: keyserver.ubuntu.com + ``` diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index f14197d28..32f14a1f5 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -40,6 +40,8 @@ state: latest virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" + become: true - name: Install Ansible. ansible.builtin.pip: @@ -47,6 +49,8 @@ - ansible virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" + become: true - name: Install linters. ansible.builtin.pip: @@ -55,6 +59,8 @@ - yamllint virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" + become_user: "{{ ce_ansible.install_username | default(_install_username) }}" + become: true when: ce_ansible.linters.enabled - name: Ensure Ansible venv permissions. diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 1ee53dcc7..35ffb1d29 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -159,6 +159,8 @@ - pyopenssl virtualenv: "{{ _venv_path }}" virtualenv_command: "{{ _venv_command }}" + become_user: "{{ ce_provision.install_username | default(_install_username) }}" + become: true - name: Ensure Ansible venv permissions. ansible.builtin.file: diff --git a/roles/debian/duplicity/README.md b/roles/debian/duplicity/README.md index 9186201ed..7e4911527 100644 --- a/roles/debian/duplicity/README.md +++ b/roles/debian/duplicity/README.md @@ -9,11 +9,16 @@ Role to install and configure [the Duplicity backup engine](https://duplicity.us ```yaml --- duplicity: + # Location of Duplicity installation and components. + venv_path: "/home/{{ user_provision.username }}/duplicity" + venv_command: /usr/bin/python3 -m venv + install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" backend_url: "s3-eu-west-1.amazonaws.com" - s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options + s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: - name: "/boot" diff --git a/roles/debian/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml index f85a94b36..6d7a6f3d6 100644 --- a/roles/debian/duplicity/defaults/main.yml +++ b/roles/debian/duplicity/defaults/main.yml @@ -1,10 +1,15 @@ --- duplicity: + # Location of Duplicity installation and components. + venv_path: "/home/{{ user_provision.username }}/duplicity" + venv_command: /usr/bin/python3 -m venv + install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" backend_url: "s3-eu-west-1.amazonaws.com" - s3_options: "--s3-european-buckets --s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options + s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: - name: "/boot" diff --git a/roles/debian/duplicity/meta/main.yml b/roles/debian/duplicity/meta/main.yml deleted file mode 100644 index 61df1afb0..000000000 --- a/roles/debian/duplicity/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/python_boto diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index 96581e0aa..535161d4b 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -1,15 +1,51 @@ -- name: Ensure duplicity is installed. +--- +- name: Ensure system Duplicity is not installed. ansible.builtin.apt: pkg: duplicity - state: present - when: ansible_distribution_major_version | int >= 12 + state: absent -- name: Ensure duplicity is installed. +- name: Ensure Duplicity is not installed globally with pip or pip3 on older versions of Debian. ansible.builtin.pip: - name: duplicity - executable: pip3 - state: present + name: + - duplicity + state: absent + executable: "{{ item }}" when: ansible_distribution_major_version | int < 12 + with_items: + - pip + - pip3 + failed_when: false # don't stop the build if there's no system pip + +# Install Python applications. +- name: Set up Python venv variables. + ansible.builtin.set_fact: + _venv_path: "{{ duplicity.venv_path }}" + _venv_command: "{{ duplicity.venv_command }}" + _install_username: "{{ duplicity.install_username }}" + +- name: Ensure pip is at latest version. + ansible.builtin.pip: + name: + - pip + state: latest + virtualenv: "{{ duplicity.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ duplicity.venv_command | default(_venv_command) }}" + become_user: "{{ duplicity.install_username | default(_install_username) }}" + become: true + +- name: Install python_boto. + ansible.builtin.include_role: + name: debian/python_boto + +- name: Install Duplicity and dependencies. + ansible.builtin.pip: + name: + - fasteners + - duplicity + virtualenv: "{{ duplicity.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ duplicity.venv_command | default(_venv_command) }}" + become_user: "{{ duplicity.install_username | default(_install_username) }}" + become: true - name: Create install dir. ansible.builtin.file: diff --git a/roles/debian/duplicity/templates/duplicity_backup-b2.j2 b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 index b41b992b8..d819090c2 100644 --- a/roles/debian/duplicity/templates/duplicity_backup-b2.j2 +++ b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 @@ -56,12 +56,12 @@ for dir in ${DIRS[@]}; do fi DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 if [ $REMOVE_OLD_BACKUPS -eq 1 ]; then # Do some maintenance on the remote end to clean up old backups echo "Performing routine maintenance on $dir..." - /usr/local/bin/duplicity $maintenance_options $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $maintenance_options $DEST || exit 1 fi done diff --git a/roles/debian/duplicity/templates/duplicity_backup-s3.j2 b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 index 993de8643..0a8fd0d64 100644 --- a/roles/debian/duplicity/templates/duplicity_backup-s3.j2 +++ b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 @@ -56,12 +56,12 @@ for dir in ${DIRS[@]}; do fi DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $backup_options $extra_options $dir $DEST || exit 1 if [ $REMOVE_OLD_BACKUPS -eq 1 ]; then # Do some maintenance on the remote end to clean up old backups echo "Performing routine maintenance on $dir..." - /usr/local/bin/duplicity $maintenance_options $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $maintenance_options $DEST || exit 1 fi done diff --git a/roles/debian/duplicity/templates/duplicity_clean-b2.j2 b/roles/debian/duplicity/templates/duplicity_clean-b2.j2 index d8c8bb4b4..92a766071 100644 --- a/roles/debian/duplicity/templates/duplicity_clean-b2.j2 +++ b/roles/debian/duplicity/templates/duplicity_clean-b2.j2 @@ -31,7 +31,7 @@ DIRS=( for dir in ${DIRS[@]}; do echo "Cleaning up $dir..." DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity $cleanup_options $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $cleanup_options $DEST || exit 1 done unset PASSPHRASE diff --git a/roles/debian/duplicity/templates/duplicity_clean-s3.j2 b/roles/debian/duplicity/templates/duplicity_clean-s3.j2 index 81b898fda..34dd3fa6b 100644 --- a/roles/debian/duplicity/templates/duplicity_clean-s3.j2 +++ b/roles/debian/duplicity/templates/duplicity_clean-s3.j2 @@ -31,7 +31,7 @@ DIRS=( for dir in ${DIRS[@]}; do echo "Cleaning up $dir..." DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity $cleanup_options $DEST || exit 1 + {{ _venv_path }}/bin/duplicity $cleanup_options $DEST || exit 1 done unset PASSPHRASE diff --git a/roles/debian/duplicity/templates/duplicity_restore-b2.j2 b/roles/debian/duplicity/templates/duplicity_restore-b2.j2 index 372431934..abe2281ee 100644 --- a/roles/debian/duplicity/templates/duplicity_restore-b2.j2 +++ b/roles/debian/duplicity/templates/duplicity_restore-b2.j2 @@ -36,7 +36,7 @@ mkdir -p $RESTORE_DIR for dir in ${DIRS[@]}; do echo "Restoring $dir..." DEST=b2://$B2_KEY_ID:$B2_SECRET_KEY@{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir + {{ _venv_path }}/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir done unset PASSPHRASE diff --git a/roles/debian/duplicity/templates/duplicity_restore-s3.j2 b/roles/debian/duplicity/templates/duplicity_restore-s3.j2 index da038389f..332db8a4f 100644 --- a/roles/debian/duplicity/templates/duplicity_restore-s3.j2 +++ b/roles/debian/duplicity/templates/duplicity_restore-s3.j2 @@ -37,7 +37,7 @@ mkdir -p $RESTORE_DIR for dir in ${DIRS[@]}; do echo "Restoring $dir..." DEST=s3://{{ duplicity.backend_url }}/{{ duplicity.bucketname }}$dir - /usr/local/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir + {{ _venv_path }}/bin/duplicity restore $RESTORE_OPTIONS $DEST $RESTORE_DIR$dir done unset PASSPHRASE diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 55e2d9999..e9a2ae55c 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -34,17 +34,10 @@ pkg: ["libsasl2-dev", "libssl-dev", "python3-dev"] # python-ldap needs some dev packages state: present -- name: Install python-ldap with pip3. - ansible.builtin.pip: - name: python-ldap - executable: pip3 - when: ansible_distribution_major_version | int < 12 - -- name: Ensure python3-ldap is installed with apt. +- name: Ensure python3-ldap is installed. ansible.builtin.apt: pkg: python3-ldap state: present - when: ansible_distribution_major_version | int >= 12 - name: Create the slapd config file. ansible.builtin.template: diff --git a/roles/debian/mysql_client/tasks/main.yml b/roles/debian/mysql_client/tasks/main.yml index aa4057005..b51330d3a 100644 --- a/roles/debian/mysql_client/tasks/main.yml +++ b/roles/debian/mysql_client/tasks/main.yml @@ -16,17 +16,10 @@ install_packages: - python3-pip -- name: Ensure PyMySQL is installed with pip3. - ansible.builtin.pip: - name: pymysql - executable: pip3 - when: ansible_distribution_major_version | int < 12 - -- name: Ensure PyMySQL is installed with apt. +- name: Ensure PyMySQL is installed. ansible.builtin.apt: pkg: python3-pymysql state: present - when: ansible_distribution_major_version | int >= 12 - name: Copy debian.cnf credentials file. ansible.builtin.template: diff --git a/roles/debian/mysql_server_oracle_ce/README.md b/roles/debian/mysql_server_oracle_ce/README.md index 7ee28b24d..38ce85292 100644 --- a/roles/debian/mysql_server_oracle_ce/README.md +++ b/roles/debian/mysql_server_oracle_ce/README.md @@ -11,6 +11,7 @@ Installs MySQL Server 5.7. mysql_long_query_time: 4 mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html mysql_server_oracle_ce_key_server: keyserver.ubuntu.com + ``` diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 2fe6d8f68..80f9dee43 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -16,17 +16,10 @@ install_packages: - python3-pip -- name: Ensure passlib is installed with pip3. - ansible.builtin.pip: - name: passlib - executable: pip3 - when: ansible_distribution_major_version | int < 12 - -- name: Ensure python3-passlib is installed with apt. +- name: Ensure python3-passlib is installed. ansible.builtin.apt: pkg: python3-passlib state: present - when: ansible_distribution_major_version | int >= 12 - name: Copy main nginx config. ansible.builtin.template: diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index 3195336e8..4cdf5ab9b 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -30,6 +30,8 @@ name: "{{ _boto3_install_package }}" virtualenv: "{{ python_boto.venv_path | default(_venv_path) }}" virtualenv_command: "{{ python_boto.venv_command | default(_venv_command) }}" + become_user: "{{ python_boto.install_username | default(_install_username) }}" + become: true - name: Ensure Ansible venv permissions. ansible.builtin.file: From c626f7f45b42cab80b290cfd4f90c61805ff9e77 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 29 Mar 2024 14:25:48 +0100 Subject: [PATCH 094/331] Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. --- docs/_Sidebar.md | 1 + docs/roles/_init.md | 12 +++ docs/roles/debian/ansible.md | 2 +- docs/roles/debian/ce_provision.md | 31 ++++--- docs/roles/debian/nginx.md | 1 + docs/roles/debian/python_boto.md | 2 +- docs/roles/debian/python_pip_packages.md | 22 +++++ roles/_init/README.md | 12 +++ roles/_init/defaults/main.yml | 12 +++ roles/_init/tasks/main.yml | 24 +++++ roles/_meta/common_base/meta/main.yml | 13 --- roles/debian/ansible/README.md | 2 +- roles/debian/ansible/defaults/main.yml | 2 +- roles/debian/ansible/tasks/main.yml | 48 ++++------ roles/debian/ce_deploy/tasks/main.yml | 13 ++- roles/debian/ce_provision/README.md | 31 ++++--- roles/debian/ce_provision/defaults/main.yml | 28 +++--- roles/debian/ce_provision/tasks/main.yml | 90 ++++++++++++++----- roles/debian/duplicity/tasks/main.yml | 32 +++---- roles/debian/nginx/README.md | 1 + roles/debian/nginx/tasks/main.yml | 8 ++ roles/debian/python_boto/README.md | 2 +- roles/debian/python_boto/defaults/main.yml | 2 +- roles/debian/python_boto/tasks/main.yml | 20 ++--- roles/debian/python_pip_packages/README.md | 22 +++++ .../python_pip_packages/defaults/main.yml | 10 +++ .../debian/python_pip_packages/tasks/main.yml | 16 ++++ 27 files changed, 301 insertions(+), 158 deletions(-) create mode 100644 docs/roles/debian/python_pip_packages.md create mode 100644 roles/debian/python_pip_packages/README.md create mode 100644 roles/debian/python_pip_packages/defaults/main.yml create mode 100644 roles/debian/python_pip_packages/tasks/main.yml diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 64e7a00dc..8f58e1a36 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -70,6 +70,7 @@ - [Process Manager](/roles/debian/process_manager) - [Python Boto](/roles/debian/python_boto) - [Python Common](/roles/debian/python_common) + - [Python Pip Packages](/roles/debian/python_pip_packages) - [rkhunter](/roles/debian/rkhunter) - [Rsyslog](/roles/debian/rsyslog) - [solr](/roles/debian/solr) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index b51e3f41d..77feacb1f 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -9,6 +9,12 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- +_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_command: /usr/bin/python3 -m venv +_venv_install_username: "{{ _ce_provision_username }}" +_ce_ansible_timer_name: upgrade_ce_provision_ansible + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. @@ -18,11 +24,17 @@ _init: # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. + + # ce-provision user creation + ce_provision_new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user + #ce_provision_uid # optionally hardcode the UID for this user + # Extra config repo. ce_provision_extra_repository: "" ce_provision_extra_repository_branch: "master" ce_provision_extra_repository_skip_checkout: false ce_provision_extra_repository_vars_file: "custom.yml" + # Whether to commit back changes to extra repo. ce_provision_extra_repository_push: false ce_provision_extra_repository_allowed_vars: [] diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index f50de4929..e86936b93 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -11,7 +11,7 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 075b48323..2c43271f7 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -1,5 +1,6 @@ # ce-provision -Installs Code Enigma's infrastructure management stack on a server. +Installs Code Enigma's infrastructure management stack on a server. Note, the `_init` role creates the user and installs Ansible in a virtual environment, so that must be run prior to the `ce_provision` role. + @@ -7,26 +8,24 @@ Installs Code Enigma's infrastructure management stack on a server. ## Default variables ```yaml --- -# See roles/_init/defaults/main.yml for extra variables repo settings. -_ce_provision: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" - +# See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_provision.username }}" - upgrade_timer_name: upgrade_ce_provision_ansible + # Optional venv overrides - if commented out, values taken from _init defaults. + #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_provision_username }}" + #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. - username: "{{ _ce_provision.username }}" - new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user + username: "{{ _ce_provision_username }}" # see _init defaults + #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user + public_key_name: id_rsa.pub # existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" own_repository_skip_checkout: false # Destination. - local_dir: "/home/{{ _ce_provision.username }}/ce-provision" + local_dir: "/home/{{ _ce_provision_username }}/ce-provision" # Private config repo. config_repository: "" config_repository_branch: "master" @@ -43,10 +42,10 @@ ce_provision: branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. - galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" + galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 340ef09da..4751e36bc 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -72,6 +72,7 @@ nginx: # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true + is_behind_cloudfront: false # set to true to disable gzip. basic_auth: auth_enabled: false auth_file: "" # optionally provide the path on the deploy server to a htpasswd file - WARNING - it must be valid and will not be checked! diff --git a/docs/roles/debian/python_boto.md b/docs/roles/debian/python_boto.md index 268af9614..0bc0b8d68 100644 --- a/docs/roles/debian/python_boto.md +++ b/docs/roles/debian/python_boto.md @@ -9,7 +9,7 @@ Role to install the `boto3` library for Python integration with AWS services. ```yaml python_boto: boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: /path/to/venv #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/docs/roles/debian/python_pip_packages.md b/docs/roles/debian/python_pip_packages.md new file mode 100644 index 000000000..458157e0c --- /dev/null +++ b/docs/roles/debian/python_pip_packages.md @@ -0,0 +1,22 @@ +# Python Pip Packages +Role to install a list of Python packages in a specified Python virtual environment. + + + + + +## Default variables +```yaml +--- +python_pip_packages: + packages: [] + # - name: pip + # state: latest + + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv +``` + + diff --git a/roles/_init/README.md b/roles/_init/README.md index b51e3f41d..77feacb1f 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -9,6 +9,12 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- +_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_command: /usr/bin/python3 -m venv +_venv_install_username: "{{ _ce_provision_username }}" +_ce_ansible_timer_name: upgrade_ce_provision_ansible + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. @@ -18,11 +24,17 @@ _init: # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. + + # ce-provision user creation + ce_provision_new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user + #ce_provision_uid # optionally hardcode the UID for this user + # Extra config repo. ce_provision_extra_repository: "" ce_provision_extra_repository_branch: "master" ce_provision_extra_repository_skip_checkout: false ce_provision_extra_repository_vars_file: "custom.yml" + # Whether to commit back changes to extra repo. ce_provision_extra_repository_push: false ce_provision_extra_repository_allowed_vars: [] diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 7b7c06560..d05a6fc78 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -1,4 +1,10 @@ --- +_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_command: /usr/bin/python3 -m venv +_venv_install_username: "{{ _ce_provision_username }}" +_ce_ansible_timer_name: upgrade_ce_provision_ansible + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. @@ -8,11 +14,17 @@ _init: # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. + + # ce-provision user creation + ce_provision_new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user + #ce_provision_uid # optionally hardcode the UID for this user + # Extra config repo. ce_provision_extra_repository: "" ce_provision_extra_repository_branch: "master" ce_provision_extra_repository_skip_checkout: false ce_provision_extra_repository_vars_file: "custom.yml" + # Whether to commit back changes to extra repo. ce_provision_extra_repository_push: false ce_provision_extra_repository_allowed_vars: [] diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 357f94c5e..41ad78d11 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -98,3 +98,27 @@ - _init.ce_provision_extra_repository - _init.ce_provision_extra_repository_vars_file - _init.ce_provision_extra_repository_allowed_vars + +# Install Ansible under the controller user for all servers +# Ensure ansible_connection == 'ssh' (i.e. we are connecting to a server) before executing +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/user_provision + when: ansible_connection == 'ssh' + +- name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + vars: + ce_ansible: + venv_path: "{{ _venv_path }}" + venv_command: "{{ _venv_command }}" + install_username: "{{ _venv_install_username }}" + upgrade: + enabled: true + command: "/home/{{ _venv_install_username }}/ansible/bin/python3 -m pip install --upgrade ansible" + on_calendar: "*-*-* 01:30:00" + timer_name: "{{ _ce_ansible_timer_name }}" + linters: + enabled: false + when: ansible_connection == 'ssh' diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 70c522c53..100be3501 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -27,7 +27,6 @@ dependencies: when: is_local is not defined or not is_local - role: debian/locales - role: debian/user_root - - role: debian/user_provision - role: debian/apt_extra_packages - role: debian/apt_unattended_upgrades when: is_local is not defined or not is_local @@ -42,15 +41,3 @@ dependencies: when: is_local is not defined or not is_local - role: debian/sudo_config when: is_local is not defined or not is_local - - role: debian/ansible - ce_ansible: - venv_path: "/home/{{ user_provision.username }}/ansible" - venv_command: "/usr/bin/python3 -m venv" - install_username: "{{ user_provision.username }}" - upgrade: - enabled: true - command: "/home/{{ user_provision.username }}/ansible/bin/python3 -m pip install --upgrade ansible" - on_calendar: "*-*-* 01:30:00" - timer_name: upgrade_ansible - linters: - enabled: false diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index f50de4929..e86936b93 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -11,7 +11,7 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml index 949bb48b7..b98ba3a49 100644 --- a/roles/debian/ansible/defaults/main.yml +++ b/roles/debian/ansible/defaults/main.yml @@ -1,6 +1,6 @@ --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 32f14a1f5..7cc09482b 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -33,42 +33,26 @@ - python3-venv - cloud-init # package can get removed with python3-yaml but we need it for auto-scale -- name: Ensure pip is at latest version. - ansible.builtin.pip: - name: - - pip - state: latest - virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - become: true - -- name: Install Ansible. - ansible.builtin.pip: - name: - - ansible - virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - become: true +- name: Install pip and Ansible. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: pip + state: latest + - name: ansible - name: Install linters. - ansible.builtin.pip: - name: - - ansible-lint - - yamllint - virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}" - become_user: "{{ ce_ansible.install_username | default(_install_username) }}" - become: true + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: ansible-lint + - name: yamllint when: ce_ansible.linters.enabled -- name: Ensure Ansible venv permissions. - ansible.builtin.file: - path: "{{ ce_ansible.venv_path | default(_venv_path) }}" - owner: "{{ ce_ansible.install_username | default(_install_username) }}" - group: "{{ ce_ansible.install_username | default(_install_username) }}" - - name: Add the venv to $PATH using profile.d. ansible.builtin.copy: content: "export PATH=$PATH:{{ ce_ansible.venv_path | default(_venv_path) }}/bin" diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index ae5395780..fa94e8eaa 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -32,7 +32,7 @@ recurse: true when: ce_deploy.new_user -- name: Fetch back the SSH pub key. +- name: Place the public key in the ce-provision data directory on the controller server. ansible.builtin.fetch: dest: "{{ _ce_provision_data_dir }}" src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.key_name }}" @@ -48,7 +48,6 @@ dest: "{{ ce_deploy.local_dir }}" version: "{{ ce_deploy.own_repository_branch | default('master') }}" update: true - # @todo? accept_hostkey: true become: true become_user: "{{ ce_deploy.username }}" @@ -132,7 +131,7 @@ ansible.builtin.set_fact: _venv_path: "{{ ce_deploy.venv_path }}" _venv_command: "{{ ce_deploy.venv_command }}" - _install_username: "{{ ce_deploy.install_username }}" + _venv_install_username: "{{ ce_deploy.install_username }}" _ce_ansible_timer_name: "{{ ce_deploy.upgrade_timer_name }}" - name: Install Ansible. @@ -175,6 +174,14 @@ become_user: "{{ ce_deploy.username }}" when: _ce_deploy_custom_galaxy_requirements.stat.exists +- name: Ensure Ansible venv permissions. + ansible.builtin.file: + path: "{{ _venv_path }}" + state: directory + recurse: true + owner: "{{ ce_deploy.username }}" + group: "{{ ce_deploy.username }}" + - name: Create systemd timer to upgrade mandatory ansible-galaxy collections. ansible.builtin.include_role: name: contrib/systemd_timers diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 075b48323..2c43271f7 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -1,5 +1,6 @@ # ce-provision -Installs Code Enigma's infrastructure management stack on a server. +Installs Code Enigma's infrastructure management stack on a server. Note, the `_init` role creates the user and installs Ansible in a virtual environment, so that must be run prior to the `ce_provision` role. + @@ -7,26 +8,24 @@ Installs Code Enigma's infrastructure management stack on a server. ## Default variables ```yaml --- -# See roles/_init/defaults/main.yml for extra variables repo settings. -_ce_provision: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" - +# See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_provision.username }}" - upgrade_timer_name: upgrade_ce_provision_ansible + # Optional venv overrides - if commented out, values taken from _init defaults. + #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_provision_username }}" + #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. - username: "{{ _ce_provision.username }}" - new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user + username: "{{ _ce_provision_username }}" # see _init defaults + #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user + public_key_name: id_rsa.pub # existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" own_repository_skip_checkout: false # Destination. - local_dir: "/home/{{ _ce_provision.username }}/ce-provision" + local_dir: "/home/{{ _ce_provision_username }}/ce-provision" # Private config repo. config_repository: "" config_repository_branch: "master" @@ -43,10 +42,10 @@ ce_provision: branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. - galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" + galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 1f3116ba3..5b02954f9 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -1,24 +1,22 @@ --- -# See roles/_init/defaults/main.yml for extra variables repo settings. -_ce_provision: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" - +# See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_provision.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_provision.username }}" - upgrade_timer_name: upgrade_ce_provision_ansible + # Optional venv overrides - if commented out, values taken from _init defaults. + #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_provision_username }}" + #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. - username: "{{ _ce_provision.username }}" - new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user + username: "{{ _ce_provision_username }}" # see _init defaults + #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user + public_key_name: id_rsa.pub # existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" own_repository_skip_checkout: false # Destination. - local_dir: "/home/{{ _ce_provision.username }}/ce-provision" + local_dir: "/home/{{ _ce_provision_username }}/ce-provision" # Private config repo. config_repository: "" config_repository_branch: "master" @@ -35,8 +33,8 @@ ce_provision: branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. - galaxy_custom_requirements_file: "/home/{{ _ce_provision.username }}/ce-provision/config/files/galaxy-requirements.yml" + galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 35ffb1d29..56c0b59b7 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -1,11 +1,14 @@ --- +# Group usually created already in the _init role. - name: Create the provision group for provisioning. ansible.builtin.group: name: "{{ ce_provision.username }}" system: true - when: ce_provision.new_user + when: + - _ce_provision_username != ce_provision.username + - ce_provision.new_user -- name: Create additional groups. +- name: Create additional controller user groups. ansible.builtin.group: name: "{{ group }}" state: present @@ -15,10 +18,11 @@ loop_var: group when: ce_provision.groups | length -- name: Create the provision user for provisioning. +# User normally created already in the _init role. +- name: Generate SSH key for the controller user for provisioning. ansible.builtin.user: name: "{{ ce_provision.username }}" - comment: Provisioning user + comment: Infrastructure provisioning user shell: /bin/bash create_home: true group: "{{ ce_provision.username }}" @@ -32,10 +36,25 @@ groups: "{{ ce_provision.groups }}" when: ce_provision.new_user -- name: Fetch back the SSH pub key. +# This action should only occur for controller servers. +- name: Place the public key in the ce-provision data directory on the controller server. ansible.builtin.fetch: dest: "{{ _ce_provision_data_dir }}" - src: "/home/{{ ce_provision.username }}/.ssh/{{ ce_provision.key_name }}" + src: "/home/{{ ce_provision.username }}/.ssh/{{ ce_provision.public_key_name }}" + +# In case we used a different username for the controller. +- name: Add controller user to sudoers. + ansible.builtin.include_role: + name: debian/sudo_config + vars: + sudo_config: + entity_name: "{{ ce_provision.username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ ce_provision.username }}" + when: _ce_provision_username != ce_provision.username # This prevent the original var to be re-evaluated when we move things around. - name: Register config repository. @@ -135,38 +154,61 @@ with_items: "{{ ce_provision.contrib_roles }}" when: ce_provision.contrib_roles | length > 0 -# Install Python applications. -- name: Set up Python venv variables. +# Optionally set Python venv variables. +- name: Override Python venv path if provided. ansible.builtin.set_fact: _venv_path: "{{ ce_provision.venv_path }}" + when: + - ce_provision.venv_path is defined + +- name: Override Python venv command if provided. + ansible.builtin.set_fact: _venv_command: "{{ ce_provision.venv_command }}" - _install_username: "{{ ce_provision.install_username }}" + when: + - ce_provision.venv_command is defined + +- name: Override Python user if provided. + ansible.builtin.set_fact: + _venv_install_username: "{{ ce_provision.venv_install_username }}" + when: + - ce_provision.venv_install_username is defined + +- name: Override systemd timer name for Ansible if provided. + ansible.builtin.set_fact: _ce_ansible_timer_name: "{{ ce_provision.upgrade_timer_name }}" + when: + - ce_provision.upgrade_timer_name is defined +# Install a new Ansible venv if we overrode the system Ansible venv path. - name: Install Ansible. ansible.builtin.include_role: name: debian/ansible + when: ce_provision.venv_path is defined + +# Install the linters if Ansible is already system installed without them. +- name: Install linters. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: ansible-lint + - name: yamllint + when: ce_provision.venv_path is not defined - name: Install python_boto. ansible.builtin.include_role: name: debian/python_boto - name: Ensure dnspython, certifi and pyopenssl are installed. - ansible.builtin.pip: - name: - - dnspython - - certifi - - pyopenssl - virtualenv: "{{ _venv_path }}" - virtualenv_command: "{{ _venv_command }}" - become_user: "{{ ce_provision.install_username | default(_install_username) }}" - become: true - -- name: Ensure Ansible venv permissions. - ansible.builtin.file: - path: "{{ _venv_path }}" - owner: "{{ ce_provision.username }}" - group: "{{ ce_provision.username }}" + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: dnspython + - name: certifi + - name: pyopenssl - name: Add Python virtual environment to $PATH. ansible.builtin.copy: diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index 535161d4b..aeda4def7 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -21,32 +21,24 @@ ansible.builtin.set_fact: _venv_path: "{{ duplicity.venv_path }}" _venv_command: "{{ duplicity.venv_command }}" - _install_username: "{{ duplicity.install_username }}" + _venv_install_username: "{{ duplicity.install_username }}" -- name: Ensure pip is at latest version. - ansible.builtin.pip: - name: - - pip - state: latest - virtualenv: "{{ duplicity.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ duplicity.venv_command | default(_venv_command) }}" - become_user: "{{ duplicity.install_username | default(_install_username) }}" - become: true +- name: Manage required pip packages. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: pip + state: latest + - name: fasteners + - name: duplicity - name: Install python_boto. ansible.builtin.include_role: name: debian/python_boto -- name: Install Duplicity and dependencies. - ansible.builtin.pip: - name: - - fasteners - - duplicity - virtualenv: "{{ duplicity.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ duplicity.venv_command | default(_venv_command) }}" - become_user: "{{ duplicity.install_username | default(_install_username) }}" - become: true - +# Install Duplicity scripts. - name: Create install dir. ansible.builtin.file: path: "{{ duplicity.install_dir }}" diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 340ef09da..4751e36bc 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -72,6 +72,7 @@ nginx: # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true + is_behind_cloudfront: false # set to true to disable gzip. basic_auth: auth_enabled: false auth_file: "" # optionally provide the path on the deploy server to a htpasswd file - WARNING - it must be valid and will not be checked! diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 80f9dee43..384fd1dad 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -21,6 +21,14 @@ pkg: python3-passlib state: present +- name: Install passlib in the Ansible venv. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: passlib + - name: Copy main nginx config. ansible.builtin.template: src: nginx.conf.j2 diff --git a/roles/debian/python_boto/README.md b/roles/debian/python_boto/README.md index 268af9614..0bc0b8d68 100644 --- a/roles/debian/python_boto/README.md +++ b/roles/debian/python_boto/README.md @@ -9,7 +9,7 @@ Role to install the `boto3` library for Python integration with AWS services. ```yaml python_boto: boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: /path/to/venv #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/roles/debian/python_boto/defaults/main.yml b/roles/debian/python_boto/defaults/main.yml index 69daa3a62..efcd654ea 100644 --- a/roles/debian/python_boto/defaults/main.yml +++ b/roles/debian/python_boto/defaults/main.yml @@ -1,6 +1,6 @@ python_boto: boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path and _venv_command but can be overridden. + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: /path/to/venv #venv_command: /usr/bin/python3.11 -m venv #install_username: deploy # user to become when creating venv diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index 4cdf5ab9b..efa4d0153 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -25,16 +25,10 @@ - python3-venv - cloud-init # package can get removed with python3-yaml but we need it for auto-scale -- name: Ensure boto3 is installed. - ansible.builtin.pip: - name: "{{ _boto3_install_package }}" - virtualenv: "{{ python_boto.venv_path | default(_venv_path) }}" - virtualenv_command: "{{ python_boto.venv_command | default(_venv_command) }}" - become_user: "{{ python_boto.install_username | default(_install_username) }}" - become: true - -- name: Ensure Ansible venv permissions. - ansible.builtin.file: - path: "{{ python_boto.venv_path | default(_venv_path) }}" - owner: "{{ python_boto.install_username | default(_install_username) }}" - group: "{{ python_boto.install_username | default(_install_username) }}" +- name: Install boto3. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: "{{ _boto3_install_package }}" diff --git a/roles/debian/python_pip_packages/README.md b/roles/debian/python_pip_packages/README.md new file mode 100644 index 000000000..458157e0c --- /dev/null +++ b/roles/debian/python_pip_packages/README.md @@ -0,0 +1,22 @@ +# Python Pip Packages +Role to install a list of Python packages in a specified Python virtual environment. + + + + + +## Default variables +```yaml +--- +python_pip_packages: + packages: [] + # - name: pip + # state: latest + + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv +``` + + diff --git a/roles/debian/python_pip_packages/defaults/main.yml b/roles/debian/python_pip_packages/defaults/main.yml new file mode 100644 index 000000000..d02af348e --- /dev/null +++ b/roles/debian/python_pip_packages/defaults/main.yml @@ -0,0 +1,10 @@ +--- +python_pip_packages: + packages: [] + # - name: pip + # state: latest + + # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv \ No newline at end of file diff --git a/roles/debian/python_pip_packages/tasks/main.yml b/roles/debian/python_pip_packages/tasks/main.yml new file mode 100644 index 000000000..50c038d25 --- /dev/null +++ b/roles/debian/python_pip_packages/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Install packages. + ansible.builtin.pip: + name: "{{ item.name }}" + state: "{{ item.state | default(omit) }}" + virtualenv: "{{ python_pip_packages.venv_path | default(_venv_path) }}" + virtualenv_command: "{{ python_pip_packages.venv_command | default(_venv_command) }}" + with_items: "{{ python_pip_packages.packages }}" + +- name: Ensure venv permissions. + ansible.builtin.file: + path: "{{ python_pip_packages.venv_path | default(_venv_path) }}" + state: directory + recurse: true + owner: "{{ python_pip_packages.install_username | default(_venv_install_username) }}" + group: "{{ python_pip_packages.install_username | default(_venv_install_username) }}" From 4a0e81face1fa6821384f9cc5f9dc861ebe422e8 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 29 Mar 2024 14:28:19 +0100 Subject: [PATCH 095/331] Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. --- docs/_Sidebar.md | 1 + docs/roles/debian/firewall_config.md | 3 + docs/roles/debian/mailpit.md | 63 ++++++++++++++ roles/debian/firewall_config/README.md | 3 + .../debian/firewall_config/defaults/main.yml | 3 + roles/debian/mailpit/README.md | 63 ++++++++++++++ roles/debian/mailpit/defaults/main.yml | 42 +++++++++ roles/debian/mailpit/tasks/main.yml | 87 +++++++++++++++++++ .../mailpit/templates/mailpit.service.j2 | 16 ++++ roles/debian/nginx/tasks/domain.yml | 5 ++ 10 files changed, 286 insertions(+) create mode 100644 docs/roles/debian/mailpit.md create mode 100644 roles/debian/mailpit/README.md create mode 100644 roles/debian/mailpit/defaults/main.yml create mode 100644 roles/debian/mailpit/tasks/main.yml create mode 100644 roles/debian/mailpit/templates/mailpit.service.j2 diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 8f58e1a36..7e75973d1 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -55,6 +55,7 @@ - [Jitsi](/roles/debian/jitsi) - [LDAP Server](/roles/debian/ldap_server) - [LHCI](/roles/debian/lhci) + - [Mailpit](/roles/debian/mailpit) - [Mount sync](/roles/debian/mount_sync) - [MariaDB Client](/roles/debian/mysql_client) - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce) diff --git a/docs/roles/debian/firewall_config.md b/docs/roles/debian/firewall_config.md index 5f8f34ee2..1577b0c12 100644 --- a/docs/roles/debian/firewall_config.md +++ b/docs/roles/debian/firewall_config.md @@ -77,6 +77,9 @@ firewall_config: firewall_allowed_tcp_ports: - "80" - "443" + mailpit_open: + firewall_allowed_tcp_ports: + - "8025" ftp_open: firewall_allowed_tcp_ports: - "20" diff --git a/docs/roles/debian/mailpit.md b/docs/roles/debian/mailpit.md new file mode 100644 index 000000000..5431d0cf2 --- /dev/null +++ b/docs/roles/debian/mailpit.md @@ -0,0 +1,63 @@ +# Mailpit +[Mailpit](https://mailpit.axllent.org) provides a dummy SMTP mail server and a HTTP interface for checking email so you can verify email is functional in an application without actually sending it out. This is particularly handy in dev and testing environments, as well as on local development environments. + +The defaults will install Mailpit as a service and start it with SMTP on port 1025 and the web UI on port 8025. Don't forget, for access to the web UI you will need to open the firewall port. By default the web UI is on port 8025. + +The role will also attempt to create a self-signed SSL certificate for Mailpit unless you set `mailpit.create_cert` to `false`. If you already have an SSL certificate you may do this and provide the paths to cert and key and, as long as `mailpit.https` is set to `true` the service will try to start with the specified cert and key. There are also ready defaults for LetsEncrypt commented out. + +If you set `mailpit.service` to `false` then the role will simply install Mailpit and stop, leaving it to you to start and stop the application. + +This role works fine in Docker, however [for `ce-dev` you might consider using the Mailpit container instead](https://mailpit.axllent.org/docs/install/docker/). + + + + + +## Default variables +```yaml +--- +mailpit: + script_install_path: "/home/{{ user_provision.username }}" + https: true + create_cert: true + service: true + database_directory: "/home/{{ user_provision.username }}/mailpit" # must be readable and writeable by the executing user + database_filename: mailpit.db + smtp_listen: 0.0.0.0:1025 + web_ui_listen: 0.0.0.0:8025 + web_ui_webroot: / + web_ui_authfile_src: "" # path to your base auth passwords file on the Ansible controller - see https://mailpit.axllent.org/docs/configuration/http-authentication/ + web_ui_authfile_dest: "" # path where you want to place your passwords file on the target - leave empty for no basic auth + web_ui_ssl_cert: "/etc/ssl/selfsigned/{{ _domain_name }}.cert" + web_ui_ssl_key: "/etc/ssl/selfsigned/{{ _domain_name }}.key" + # LetsEncrypt example paths + #web_ui_ssl_cert: "/etc/letsencrypt/live/{{ _domain_name }}/fullchain.pem" + #web_ui_ssl_key: "/etc/letsencrypt/live/{{ _domain_name }}/privkey.pem" + additional_options: "" # runtime custom options - see https://mailpit.axllent.org/docs/configuration/runtime-options/ + # only used if https: false, otherwise must run as root + user: "{{ user_provision.username }}" + group: "{{ user_provision.username }}" + # @see the 'ssl' role - defaults to using LetsEncrypt + ssl: + replace_existing: false + domains: + - "{{ _domain_name }}" + handling: selfsigned + # example LetsEncrypt config + #handling: letsencrypt + #http_01_port: 80 + #autorenew: true + #email: sysadm@codeenigma.com + #services: + # - nginx + #web_server: standalone + #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #reload_command: restart + #reload: + # - mailpit + #on_calendar: "Mon *-*-* 04:00:00" + +``` + + diff --git a/roles/debian/firewall_config/README.md b/roles/debian/firewall_config/README.md index 5f8f34ee2..1577b0c12 100644 --- a/roles/debian/firewall_config/README.md +++ b/roles/debian/firewall_config/README.md @@ -77,6 +77,9 @@ firewall_config: firewall_allowed_tcp_ports: - "80" - "443" + mailpit_open: + firewall_allowed_tcp_ports: + - "8025" ftp_open: firewall_allowed_tcp_ports: - "20" diff --git a/roles/debian/firewall_config/defaults/main.yml b/roles/debian/firewall_config/defaults/main.yml index 422c6cf7f..7c9193af6 100644 --- a/roles/debian/firewall_config/defaults/main.yml +++ b/roles/debian/firewall_config/defaults/main.yml @@ -29,6 +29,9 @@ firewall_config: firewall_allowed_tcp_ports: - "80" - "443" + mailpit_open: + firewall_allowed_tcp_ports: + - "8025" ftp_open: firewall_allowed_tcp_ports: - "20" diff --git a/roles/debian/mailpit/README.md b/roles/debian/mailpit/README.md new file mode 100644 index 000000000..5431d0cf2 --- /dev/null +++ b/roles/debian/mailpit/README.md @@ -0,0 +1,63 @@ +# Mailpit +[Mailpit](https://mailpit.axllent.org) provides a dummy SMTP mail server and a HTTP interface for checking email so you can verify email is functional in an application without actually sending it out. This is particularly handy in dev and testing environments, as well as on local development environments. + +The defaults will install Mailpit as a service and start it with SMTP on port 1025 and the web UI on port 8025. Don't forget, for access to the web UI you will need to open the firewall port. By default the web UI is on port 8025. + +The role will also attempt to create a self-signed SSL certificate for Mailpit unless you set `mailpit.create_cert` to `false`. If you already have an SSL certificate you may do this and provide the paths to cert and key and, as long as `mailpit.https` is set to `true` the service will try to start with the specified cert and key. There are also ready defaults for LetsEncrypt commented out. + +If you set `mailpit.service` to `false` then the role will simply install Mailpit and stop, leaving it to you to start and stop the application. + +This role works fine in Docker, however [for `ce-dev` you might consider using the Mailpit container instead](https://mailpit.axllent.org/docs/install/docker/). + + + + + +## Default variables +```yaml +--- +mailpit: + script_install_path: "/home/{{ user_provision.username }}" + https: true + create_cert: true + service: true + database_directory: "/home/{{ user_provision.username }}/mailpit" # must be readable and writeable by the executing user + database_filename: mailpit.db + smtp_listen: 0.0.0.0:1025 + web_ui_listen: 0.0.0.0:8025 + web_ui_webroot: / + web_ui_authfile_src: "" # path to your base auth passwords file on the Ansible controller - see https://mailpit.axllent.org/docs/configuration/http-authentication/ + web_ui_authfile_dest: "" # path where you want to place your passwords file on the target - leave empty for no basic auth + web_ui_ssl_cert: "/etc/ssl/selfsigned/{{ _domain_name }}.cert" + web_ui_ssl_key: "/etc/ssl/selfsigned/{{ _domain_name }}.key" + # LetsEncrypt example paths + #web_ui_ssl_cert: "/etc/letsencrypt/live/{{ _domain_name }}/fullchain.pem" + #web_ui_ssl_key: "/etc/letsencrypt/live/{{ _domain_name }}/privkey.pem" + additional_options: "" # runtime custom options - see https://mailpit.axllent.org/docs/configuration/runtime-options/ + # only used if https: false, otherwise must run as root + user: "{{ user_provision.username }}" + group: "{{ user_provision.username }}" + # @see the 'ssl' role - defaults to using LetsEncrypt + ssl: + replace_existing: false + domains: + - "{{ _domain_name }}" + handling: selfsigned + # example LetsEncrypt config + #handling: letsencrypt + #http_01_port: 80 + #autorenew: true + #email: sysadm@codeenigma.com + #services: + # - nginx + #web_server: standalone + #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #reload_command: restart + #reload: + # - mailpit + #on_calendar: "Mon *-*-* 04:00:00" + +``` + + diff --git a/roles/debian/mailpit/defaults/main.yml b/roles/debian/mailpit/defaults/main.yml new file mode 100644 index 000000000..5a0666593 --- /dev/null +++ b/roles/debian/mailpit/defaults/main.yml @@ -0,0 +1,42 @@ +--- +mailpit: + script_install_path: "/home/{{ user_provision.username }}" + https: true + create_cert: true + service: true + database_directory: "/home/{{ user_provision.username }}/mailpit" # must be readable and writeable by the executing user + database_filename: mailpit.db + smtp_listen: 0.0.0.0:1025 + web_ui_listen: 0.0.0.0:8025 + web_ui_webroot: / + web_ui_authfile_src: "" # path to your base auth passwords file on the Ansible controller - see https://mailpit.axllent.org/docs/configuration/http-authentication/ + web_ui_authfile_dest: "" # path where you want to place your passwords file on the target - leave empty for no basic auth + web_ui_ssl_cert: "/etc/ssl/selfsigned/{{ _domain_name }}.cert" + web_ui_ssl_key: "/etc/ssl/selfsigned/{{ _domain_name }}.key" + # LetsEncrypt example paths + #web_ui_ssl_cert: "/etc/letsencrypt/live/{{ _domain_name }}/fullchain.pem" + #web_ui_ssl_key: "/etc/letsencrypt/live/{{ _domain_name }}/privkey.pem" + additional_options: "" # runtime custom options - see https://mailpit.axllent.org/docs/configuration/runtime-options/ + # only used if https: false, otherwise must run as root + user: "{{ user_provision.username }}" + group: "{{ user_provision.username }}" + # @see the 'ssl' role - defaults to using LetsEncrypt + ssl: + replace_existing: false + domains: + - "{{ _domain_name }}" + handling: selfsigned + # example LetsEncrypt config + #handling: letsencrypt + #http_01_port: 80 + #autorenew: true + #email: sysadm@codeenigma.com + #services: + # - nginx + #web_server: standalone + #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #reload_command: restart + #reload: + # - mailpit + #on_calendar: "Mon *-*-* 04:00:00" diff --git a/roles/debian/mailpit/tasks/main.yml b/roles/debian/mailpit/tasks/main.yml new file mode 100644 index 000000000..aa376cfe4 --- /dev/null +++ b/roles/debian/mailpit/tasks/main.yml @@ -0,0 +1,87 @@ +--- +- name: Download latest Mailpit install script. + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/axllent/mailpit/develop/install.sh + dest: "{{ mailpit.script_install_path }}/mailpit-install.sh" + mode: '0750' + owner: "{{ mailpit.user }}" + group: "{{ mailpit.group }}" + force: true + +- name: Attempt to install Mailpit. + ansible.builtin.command: + cmd: "{{ mailpit.script_install_path }}/mailpit-install.sh" + +- name: Generate SSL keys if requested. + ansible.builtin.include_role: + name: debian/ssl + vars: + ssl: "{{ mailpit.ssl }}" + when: mailpit.create_cert + +- name: Copy basic htauth file to server. + ansible.builtin.copy: + src: "{{ mailpit.web_ui_authfile_src }}" + dest: "{{ mailpit.web_ui_authfile_dest }}" + owner: root + group: root + mode: 0644 + when: mailpit.web_ui_authfile_dest | length > 0 + +- name: Start the launch string for the Mailpit service with the database location. + ansible.builtin.set_fact: + _mailpit_service_command: "-d {{ mailpit.database_directory }}/{{ mailpit.database_filename }}" + when: mailpit.service + +- name: Add web UI settings to launch string for Mailpit. + ansible.builtin.set_fact: + _mailpit_service_command: "{{ _mailpit_service_command }} --listen {{ mailpit.web_ui_listen }} --webroot {{ mailpit.web_ui_webroot }}" + when: mailpit.service + +- name: Add SMTP settings to launch string for Mailpit. + ansible.builtin.set_fact: + _mailpit_service_command: "{{ _mailpit_service_command }} --smtp {{ mailpit.smtp_listen }}" + when: mailpit.service + +- name: Add auth file to the launch string for Mailpit. + ansible.builtin.set_fact: + _mailpit_service_command: "{{ _mailpit_service_command }} --ui-auth-file {{ mailpit.web_ui_authfile_dest }}" + when: + - mailpit.service + - mailpit.web_ui_authfile_dest | length > 0 + +- name: Add SSL options to the launch string for Mailpit. + ansible.builtin.set_fact: + _mailpit_service_command: "{{ _mailpit_service_command }} --ui-tls-cert {{ mailpit.web_ui_ssl_cert }} --ui-tls-key {{ mailpit.web_ui_ssl_key }}" + when: + - mailpit.service + - mailpit.https + +- name: Add any additionally provided options to the launch string for Mailpit. + ansible.builtin.set_fact: + _mailpit_service_command: "{{ _mailpit_service_command }} {{ mailpit.additional_options }}" + when: + - mailpit.service + - mailpit.additional_options | length > 0 + +- name: Copy systemd service file to server. + ansible.builtin.template: + src: mailpit.service.j2 + dest: "/etc/systemd/system/mailpit.service" + owner: root + group: root + mode: 0755 + when: mailpit.service + +- name: Ensure the database directory exists and is writeable. + ansible.builtin.file: + path: "{{ mailpit.database_directory }}" + state: directory + +- name: Start Mailpit. + ansible.builtin.systemd_service: + name: mailpit + state: started + daemon_reload: true + enabled: true + when: mailpit.service diff --git a/roles/debian/mailpit/templates/mailpit.service.j2 b/roles/debian/mailpit/templates/mailpit.service.j2 new file mode 100644 index 000000000..b3cc0c12a --- /dev/null +++ b/roles/debian/mailpit/templates/mailpit.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Mailpit server + +[Service] +ExecStart=/usr/local/bin/mailpit {{ _mailpit_service_command }} +Restart=always +# Restart service after 10 seconds if node service crashes +RestartSec=10 +SyslogIdentifier=mailpit +{% if not mailpit.https %} +User={{ mailpit.user }} +Group={{ mailpit.group }} +{% endif %} + +[Install] +WantedBy=multi-user.target diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index 2c15440ea..57c7d7b9e 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -9,6 +9,7 @@ when: - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' + - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 - name: Enable vhost. ansible.builtin.file: @@ -18,6 +19,7 @@ when: - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' + - domain.ssl.services | length > 0 - name: Reload the nginx service. ansible.builtin.service: @@ -26,6 +28,7 @@ when: - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' + - domain.ssl.services | length > 0 - name: Generates SSL keys. ansible.builtin.include_role: @@ -42,6 +45,7 @@ when: - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' + - domain.ssl.services | length > 0 - name: Delete the temporary vhost for LetsEncrypt. ansible.builtin.file: @@ -50,6 +54,7 @@ when: - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' + - domain.ssl.services | length > 0 # If auth_enabled is defined and yes, and auth_pass is not defined or is defined but empty, generate a random password. - name: Generate random htauth password. From 3e001dd32de4910b74fb42234f77bdc3729446c4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Sun, 31 Mar 2024 17:32:03 +0200 Subject: [PATCH 096/331] Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. --- docs/roles/aws/aws_acm.md | 4 +- docs/roles/aws/aws_ec2_autoscale_cluster.md | 2 +- roles/aws/aws_acm/README.md | 4 +- roles/aws/aws_acm/defaults/main.yml | 2 +- roles/aws/aws_acm/tasks/main.yml | 210 +++++++++--------- roles/aws/aws_ec2_autoscale_cluster/README.md | 2 +- .../defaults/main.yml | 2 +- .../aws_ec2_autoscale_cluster/tasks/main.yml | 4 + 8 files changed, 123 insertions(+), 107 deletions(-) diff --git a/docs/roles/aws/aws_acm.md b/docs/roles/aws/aws_acm.md index b3d0a9a10..beeb449e8 100644 --- a/docs/roles/aws/aws_acm.md +++ b/docs/roles/aws/aws_acm.md @@ -8,7 +8,7 @@ Creates AWS certificate requests. Allows for passing a validation domain. From t Additionally, this role attempts to be idempotent by running `aws acm list-certificates` and ensuring that the domain of the cert being requested is not included in the current list of certificates. -Whenever this role runs it will set the `aws_acm_certificate_arn` variable so you have the ARN of the certificate, whether it exists already or it is newly created. +Whenever this role runs it will set the `aws_acm_certificate_arn` variable so you have the ARN of the certificate, whether it exists already or it is newly created. If applicable it will *also* set the `aws_acm_obsolete_certificate_arn` variable, so you can choose to use that to automatically delete a certificate that has been replaced later. @@ -27,7 +27,7 @@ aws_acm: # zone: example.com # aws_profile: us-east-1 validate: true # you need to set this to false if the validation zone is not in Route 53 or you do not have CLI access - export: true + export: false route_53: aws_profile: "{{ _aws_profile }}" # the zone might not be in the same account as the certificate zone: example.com diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 00f0cc329..73144ac8c 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -29,7 +29,7 @@ aws_ec2_autoscale_cluster: extra_domains: [] # list of Subject Alternative Name domains and zones # - domain: www2.example.com # zone: example.com - # aws_profile: us-east-1 + # aws_profile: "{{ _aws_profile }}" route_53: aws_profile: another # the zone might not be in the same account as the certificate zone: example.com diff --git a/roles/aws/aws_acm/README.md b/roles/aws/aws_acm/README.md index b3d0a9a10..beeb449e8 100644 --- a/roles/aws/aws_acm/README.md +++ b/roles/aws/aws_acm/README.md @@ -8,7 +8,7 @@ Creates AWS certificate requests. Allows for passing a validation domain. From t Additionally, this role attempts to be idempotent by running `aws acm list-certificates` and ensuring that the domain of the cert being requested is not included in the current list of certificates. -Whenever this role runs it will set the `aws_acm_certificate_arn` variable so you have the ARN of the certificate, whether it exists already or it is newly created. +Whenever this role runs it will set the `aws_acm_certificate_arn` variable so you have the ARN of the certificate, whether it exists already or it is newly created. If applicable it will *also* set the `aws_acm_obsolete_certificate_arn` variable, so you can choose to use that to automatically delete a certificate that has been replaced later. @@ -27,7 +27,7 @@ aws_acm: # zone: example.com # aws_profile: us-east-1 validate: true # you need to set this to false if the validation zone is not in Route 53 or you do not have CLI access - export: true + export: false route_53: aws_profile: "{{ _aws_profile }}" # the zone might not be in the same account as the certificate zone: example.com diff --git a/roles/aws/aws_acm/defaults/main.yml b/roles/aws/aws_acm/defaults/main.yml index be5cacebb..ea0c1424e 100644 --- a/roles/aws/aws_acm/defaults/main.yml +++ b/roles/aws/aws_acm/defaults/main.yml @@ -9,7 +9,7 @@ aws_acm: # zone: example.com # aws_profile: us-east-1 validate: true # you need to set this to false if the validation zone is not in Route 53 or you do not have CLI access - export: true + export: false route_53: aws_profile: "{{ _aws_profile }}" # the zone might not be in the same account as the certificate zone: example.com diff --git a/roles/aws/aws_acm/tasks/main.yml b/roles/aws/aws_acm/tasks/main.yml index 8ed67a041..30e49ea9d 100644 --- a/roles/aws/aws_acm/tasks/main.yml +++ b/roles/aws/aws_acm/tasks/main.yml @@ -22,13 +22,15 @@ ansible.builtin.set_fact: aws_acm_certificate_arn: "" _aws_acm_domain_in_cert_list: false + _aws_acm_extra_domains_in_cert_list: true - name: Iterate through the certificate list checking for domain. ansible.builtin.set_fact: aws_acm_certificate_arn: "{{ item.CertificateArn }}" + aws_acm_certificate: "{{ item }}" _aws_acm_domain_in_cert_list: true - when: item.DomainName == aws_acm.domain_name with_items: "{{ _aws_acm_cert_list }}" + when: item.DomainName == aws_acm.domain_name - ansible.builtin.set_fact: _aws_tags_list: [] @@ -68,6 +70,15 @@ loop: "{{ aws_acm.extra_domains }}" when: aws_acm.extra_domains | length > 0 +- name: Check if we have all our domains in a SAN cert. + ansible.builtin.set_fact: + _aws_acm_extra_domains_in_cert_list: false + with_items: "{{ _acm_san_domains }}" + when: + - _acm_san_domains is defined + - item not in aws_acm_certificate.SubjectAlternativeNameSummaries + - aws_acm.extra_domains | length > 0 + - name: Send ACM request for a SAN cert if needed. ansible.builtin.command: | aws --profile "{{ aws_acm.aws_profile }}" --region "{{ aws_acm.region }}" \ @@ -78,7 +89,7 @@ --tags {{ _aws_tags_string }} register: _aws_acm_new_san_certificate when: - - not _aws_acm_domain_in_cert_list + - not _aws_acm_extra_domains_in_cert_list - aws_acm.extra_domains | length > 0 - name: Parse returned certificate simple certificate output. @@ -92,102 +103,103 @@ ansible.builtin.set_fact: _aws_acm_new_certificate: "{{ _aws_acm_new_san_certificate.stdout | from_json }}" when: - - not _aws_acm_domain_in_cert_list + - not _aws_acm_extra_domains_in_cert_list - aws_acm.extra_domains | length > 0 -- name: Fetch the new certificate's ARN. - ansible.builtin.set_fact: - aws_acm_certificate_arn: "{{ _aws_acm_new_certificate.CertificateArn }}" - when: not _aws_acm_domain_in_cert_list - -# Not currently possible to do this with the API, so we just pause 5 seconds - this is usually enough time. -- name: Wait until the new certificate is properly issued. - ansible.builtin.pause: - seconds: 5 - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -- name: Obtain all information for a the new ACM certificate. - community.aws.acm_certificate_info: - region: "{{ aws_acm.region }}" - profile: "{{ aws_acm.aws_profile }}" - domain_name: "{{ aws_acm.domain_name }}" - register: _aws_acm_new_certificate - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -- name: Initialise the DNS loop var with main domain entry DNS settings. - ansible.builtin.set_fact: - _acm_dns_all_domains: - - domain: "{{ aws_acm.domain_name }}" - zone: "{{ aws_acm.route_53.zone }}" - aws_profile: "{{ aws_acm.route_53.aws_profile }}" - when: - - aws_acm.route_53.zone is defined - - aws_acm.route_53.zone | length > 0 - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -- name: Add extra_domains so we can loop through DNS records. - ansible.builtin.set_fact: - _acm_dns_all_domains: "{{ _acm_dns_all_domains + [{'domain': item.domain, 'zone': item.zone, 'aws_profile': item.aws_profile}] }}" - loop: "{{ aws_acm.extra_domains }}" - when: - - aws_acm.extra_domains | length > 0 - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -- name: Add a DNS records in Route 53 for validation. - amazon.aws.route53: - state: present - profile: "{{ item.aws_profile }}" - zone: "{{ item.zone }}" - record: "{{ (_aws_acm_new_certificate.certificates[0].domain_validation_options | selectattr('domain_name', 'search', item.domain))[0].resource_record.name }}" - type: CNAME - value: "{{ (_aws_acm_new_certificate.certificates[0].domain_validation_options | selectattr('domain_name', 'search', item.domain))[0].resource_record.value }}" - overwrite: true - loop: "{{ _acm_dns_all_domains }}" - when: - - aws_acm.route_53.zone is defined - - aws_acm.route_53.zone | length > 0 - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -- name: Wait for ACM certificate validation to complete. - ansible.builtin.command: | - aws --profile "{{ aws_acm.aws_profile }}" --region "{{ aws_acm.region }}" \ - acm wait certificate-validated \ - --certificate-arn "{{ aws_acm_certificate_arn }}" - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.validate - -# Even though we wait for validation, it's still too quick. -- name: Wait to allow status cache time to update. - ansible.builtin.pause: - seconds: 5 - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.export - - aws_acm.validate - -- name: Fetch certificate for later use. - ansible.builtin.command: | - aws --profile "{{ aws_acm.aws_profile }}" --region "{{ aws_acm.region }}" \ - acm get-certificate \ - --certificate-arn "{{ aws_acm_certificate_arn }}" - register: _aws_acm_exported_certificate_json - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.export - - aws_acm.validate - -- name: Replace JSON certificate output with parsed results. - ansible.builtin.set_fact: - aws_acm_exported_certificate: "{{ _aws_acm_exported_certificate_json.stdout | from_json }}" - when: - - not _aws_acm_domain_in_cert_list - - aws_acm.export - - aws_acm.validate +# Set of tasks to run if a certificate is created. +- name: Handle new certificate actions. + when: not _aws_acm_domain_in_cert_list or not _aws_acm_extra_domains_in_cert_list + block: + - name: Stash the old certificate ARN in case we want to delete it later. + ansible.builtin.set_fact: + aws_acm_obsolete_certificate_arn: "{{ aws_acm_certificate_arn }}" + when: + - aws_acm_certificate_arn | length > 0 + - aws_acm_certificate_arn != _aws_acm_new_certificate.CertificateArn + + - name: Fetch the new certificate's ARN. + ansible.builtin.set_fact: + aws_acm_certificate_arn: "{{ _aws_acm_new_certificate.CertificateArn }}" + + # Not currently possible to do this with the API, so we just pause 5 seconds - this is usually enough time. + - name: Wait until the new certificate is properly issued. + ansible.builtin.pause: + seconds: 5 + when: + - aws_acm.validate + + - name: Obtain all information for a the new ACM certificate. + community.aws.acm_certificate_info: + region: "{{ aws_acm.region }}" + profile: "{{ aws_acm.aws_profile }}" + certificate_arn: "{{ aws_acm_certificate_arn }}" + register: _aws_acm_new_certificate + when: + - aws_acm.validate + + - name: Initialise the DNS loop var with main domain entry DNS settings. + ansible.builtin.set_fact: + _acm_dns_all_domains: + - domain: "{{ aws_acm.domain_name }}" + zone: "{{ aws_acm.route_53.zone }}" + aws_profile: "{{ aws_acm.route_53.aws_profile }}" + when: + - aws_acm.route_53.zone is defined + - aws_acm.route_53.zone | length > 0 + - aws_acm.validate + + - name: Add extra_domains so we can loop through DNS records. + ansible.builtin.set_fact: + _acm_dns_all_domains: "{{ _acm_dns_all_domains + [{'domain': item.domain, 'zone': item.zone, 'aws_profile': item.aws_profile}] }}" + loop: "{{ aws_acm.extra_domains }}" + when: + - aws_acm.extra_domains | length > 0 + - aws_acm.validate + + - name: Add a DNS records in Route 53 for validation. + amazon.aws.route53: + state: present + profile: "{{ item.aws_profile }}" + zone: "{{ item.zone }}" + record: "{{ (_aws_acm_new_certificate.certificates[0].domain_validation_options | selectattr('domain_name', 'search', item.domain))[0].resource_record.name }}" + type: CNAME + value: "{{ (_aws_acm_new_certificate.certificates[0].domain_validation_options | selectattr('domain_name', 'search', item.domain))[0].resource_record.value }}" + overwrite: true + loop: "{{ _acm_dns_all_domains }}" + when: + - aws_acm.route_53.zone is defined + - aws_acm.route_53.zone | length > 0 + - aws_acm.validate + + - name: Wait for ACM certificate validation to complete. + ansible.builtin.command: | + aws --profile "{{ aws_acm.aws_profile }}" --region "{{ aws_acm.region }}" \ + acm wait certificate-validated \ + --certificate-arn "{{ aws_acm_certificate_arn }}" + when: + - aws_acm.validate + + # Even though we wait for validation, it's still too quick. + - name: Wait to allow status cache time to update. + ansible.builtin.pause: + seconds: 5 + when: + - aws_acm.export + - aws_acm.validate + + - name: Fetch certificate for later use. + ansible.builtin.command: | + aws --profile "{{ aws_acm.aws_profile }}" --region "{{ aws_acm.region }}" \ + acm get-certificate \ + --certificate-arn "{{ aws_acm_certificate_arn }}" + register: _aws_acm_exported_certificate_json + when: + - aws_acm.export + - aws_acm.validate + + - name: Replace JSON certificate output with parsed results. + ansible.builtin.set_fact: + aws_acm_exported_certificate: "{{ _aws_acm_exported_certificate_json.stdout | from_json }}" + when: + - aws_acm.export + - aws_acm.validate diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 00f0cc329..73144ac8c 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -29,7 +29,7 @@ aws_ec2_autoscale_cluster: extra_domains: [] # list of Subject Alternative Name domains and zones # - domain: www2.example.com # zone: example.com - # aws_profile: us-east-1 + # aws_profile: "{{ _aws_profile }}" route_53: aws_profile: another # the zone might not be in the same account as the certificate zone: example.com diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 5c4c4ace3..2946941e7 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -10,7 +10,7 @@ aws_ec2_autoscale_cluster: extra_domains: [] # list of Subject Alternative Name domains and zones # - domain: www2.example.com # zone: example.com - # aws_profile: us-east-1 + # aws_profile: "{{ _aws_profile }}" route_53: aws_profile: another # the zone might not be in the same account as the certificate zone: example.com diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 611ba383c..97b26dc8f 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -353,6 +353,8 @@ TargetGroupName: "{{ aws_ec2_autoscale_cluster.name }}" when: aws_ec2_autoscale_cluster.create_elb +# @TODO - we can use the aws_acm_obsolete_certificate_arn variable to tidy up previous ACM certs, if it is defined. + - name: Add HTTP listeners. ansible.builtin.set_fact: _aws_ec2_autoscale_cluster_listeners: "{{ [_aws_ec2_autoscale_cluster_listeners_http] }}" @@ -720,6 +722,8 @@ - aws_ec2_autoscale_cluster.cloudfront.create_distribution - _cf_certificate_ARN | length > 1 +# @TODO - we can use the aws_acm_obsolete_certificate_arn variable to tidy up previous ACM certs, if it is defined. + - name: Add DNS records in Route 53. amazon.aws.route53: state: "{{ aws_ec2_autoscale_cluster.state }}" From cdd8ec5893c8657903f566cbdaeef012b5f89ec1 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 2 Apr 2024 17:18:24 +0200 Subject: [PATCH 097/331] Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. --- docs/roles/aws/aws_ami.md | 6 +++--- docs/roles/aws/aws_ec2_autoscale_cluster.md | 3 ++- docs/roles/aws/aws_ec2_with_eip.md | 2 +- roles/aws/aws_ami/README.md | 6 +++--- roles/aws/aws_ami/defaults/main.yml | 6 +++--- roles/aws/aws_ec2_autoscale_cluster/README.md | 3 ++- roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml | 3 ++- roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 1 + roles/aws/aws_ec2_with_eip/README.md | 2 +- roles/aws/aws_ec2_with_eip/defaults/main.yml | 2 +- 10 files changed, 19 insertions(+), 15 deletions(-) diff --git a/docs/roles/aws/aws_ami.md b/docs/roles/aws/aws_ami.md index 2d53374d7..f4f3bd2be 100644 --- a/docs/roles/aws/aws_ami.md +++ b/docs/roles/aws/aws_ami.md @@ -22,10 +22,10 @@ Like that it will use `_aws_ami_host` if available and default to `default` if n aws_ami: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - instance_type: t3.micro + instance_type: c7a.large # more performant packer instances mean less waiting for AMIs! virtualization_type: hvm root_device_type: ebs - name_filter: "debian-11-amd64-*" + name_filter: "debian-12-amd64-*" ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" @@ -68,7 +68,7 @@ aws_ami: operation: ensure # Only used by the 'repack' operation to define temporary EC2 instance repack: - root_volume_type: gp2 + root_volume_type: gp3 root_volume_size: 20 # Important, for an ASG this must not be larger than the value set in the Launch Configuration cluster_name: "example" # To look up EC2 instances to use for an AMI iam_role: "example" # The IAM role to be assumed by the temporary EC2 instance for repacking an AMI diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 73144ac8c..4f3b75255 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -57,7 +57,7 @@ aws_ec2_autoscale_cluster: key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_owner: self # Default to self-created image. root_volume_size: 30 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_delete_on_termination: true device_name: /dev/xvda ebs_optimized: true @@ -95,6 +95,7 @@ aws_ec2_autoscale_cluster: packer_force: false # see aws_ami for details packer_vpc_filter: "" # see aws_ami for details packer_subnet_filter_az: "" # see aws_ami for details + packer_name_filter: "debian-12-amd64-*" # see aws_ami for details, Packer base image ami_refresh: true # Whether to build a new AMI or not. asg_refresh: true # Whether to build a new ASG or not. # Define if you want to launch config to use a specific AMI, e.g. to pack a new AMI but not use it right away for QA reasons. diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index e7dbd666d..11985ee47 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -27,7 +27,7 @@ aws_ec2_with_eip: termination_protection: false # set to true to disable termination and avoid accidents instance_name: "{{ _domain_name }}" root_volume_size: 80 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index 2d53374d7..f4f3bd2be 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -22,10 +22,10 @@ Like that it will use `_aws_ami_host` if available and default to `default` if n aws_ami: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - instance_type: t3.micro + instance_type: c7a.large # more performant packer instances mean less waiting for AMIs! virtualization_type: hvm root_device_type: ebs - name_filter: "debian-11-amd64-*" + name_filter: "debian-12-amd64-*" ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" @@ -68,7 +68,7 @@ aws_ami: operation: ensure # Only used by the 'repack' operation to define temporary EC2 instance repack: - root_volume_type: gp2 + root_volume_type: gp3 root_volume_size: 20 # Important, for an ASG this must not be larger than the value set in the Launch Configuration cluster_name: "example" # To look up EC2 instances to use for an AMI iam_role: "example" # The IAM role to be assumed by the temporary EC2 instance for repacking an AMI diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index 0316a1b2a..4b9bcbf1c 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -2,10 +2,10 @@ aws_ami: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - instance_type: t3.micro + instance_type: c7a.large # more performant packer instances mean less waiting for AMIs! virtualization_type: hvm root_device_type: ebs - name_filter: "debian-11-amd64-*" + name_filter: "debian-12-amd64-*" ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" @@ -48,7 +48,7 @@ aws_ami: operation: ensure # Only used by the 'repack' operation to define temporary EC2 instance repack: - root_volume_type: gp2 + root_volume_type: gp3 root_volume_size: 20 # Important, for an ASG this must not be larger than the value set in the Launch Configuration cluster_name: "example" # To look up EC2 instances to use for an AMI iam_role: "example" # The IAM role to be assumed by the temporary EC2 instance for repacking an AMI diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 73144ac8c..4f3b75255 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -57,7 +57,7 @@ aws_ec2_autoscale_cluster: key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_owner: self # Default to self-created image. root_volume_size: 30 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_delete_on_termination: true device_name: /dev/xvda ebs_optimized: true @@ -95,6 +95,7 @@ aws_ec2_autoscale_cluster: packer_force: false # see aws_ami for details packer_vpc_filter: "" # see aws_ami for details packer_subnet_filter_az: "" # see aws_ami for details + packer_name_filter: "debian-12-amd64-*" # see aws_ami for details, Packer base image ami_refresh: true # Whether to build a new AMI or not. asg_refresh: true # Whether to build a new ASG or not. # Define if you want to launch config to use a specific AMI, e.g. to pack a new AMI but not use it right away for QA reasons. diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 2946941e7..697d76fbf 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -38,7 +38,7 @@ aws_ec2_autoscale_cluster: key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. ami_owner: self # Default to self-created image. root_volume_size: 30 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_delete_on_termination: true device_name: /dev/xvda ebs_optimized: true @@ -76,6 +76,7 @@ aws_ec2_autoscale_cluster: packer_force: false # see aws_ami for details packer_vpc_filter: "" # see aws_ami for details packer_subnet_filter_az: "" # see aws_ami for details + packer_name_filter: "debian-12-amd64-*" # see aws_ami for details, Packer base image ami_refresh: true # Whether to build a new AMI or not. asg_refresh: true # Whether to build a new ASG or not. # Define if you want to launch config to use a specific AMI, e.g. to pack a new AMI but not use it right away for QA reasons. diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 97b26dc8f..9f29692ff 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -247,6 +247,7 @@ region: "{{ aws_ec2_autoscale_cluster.region }}" ami_name: "{{ _aws_ec2_autoscale_cluster_unique_name }}" encrypt_boot: "{{ aws_ec2_autoscale_cluster.encrypt_boot }}" + name_filter: "{{ aws_ec2_autoscale_cluster.packer_name_filter }}" repack: root_volume_type: "{{ aws_ec2_autoscale_cluster.root_volume_type }}" root_volume_size: "{{ aws_ec2_autoscale_cluster.root_volume_size }}" diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md index e7dbd666d..11985ee47 100644 --- a/roles/aws/aws_ec2_with_eip/README.md +++ b/roles/aws/aws_ec2_with_eip/README.md @@ -27,7 +27,7 @@ aws_ec2_with_eip: termination_protection: false # set to true to disable termination and avoid accidents instance_name: "{{ _domain_name }}" root_volume_size: 80 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true diff --git a/roles/aws/aws_ec2_with_eip/defaults/main.yml b/roles/aws/aws_ec2_with_eip/defaults/main.yml index caf58f7a6..56e25ba9c 100644 --- a/roles/aws/aws_ec2_with_eip/defaults/main.yml +++ b/roles/aws/aws_ec2_with_eip/defaults/main.yml @@ -17,7 +17,7 @@ aws_ec2_with_eip: termination_protection: false # set to true to disable termination and avoid accidents instance_name: "{{ _domain_name }}" root_volume_size: 80 - root_volume_type: gp2 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html + root_volume_type: gp3 # available options - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role root_volume_delete_on_termination: true ebs_optimized: true From fa8720f6d2cf0674b34538228f72c6f8e20ab457 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 4 Apr 2024 12:55:54 +0200 Subject: [PATCH 098/331] Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. --- docs/_Sidebar.md | 3 + docs/roles/debian/nginx.md | 25 ++++++- docs/roles/debian/php-cli.md | 45 +++++++++++++ docs/roles/debian/php-common.md | 19 ++++++ docs/roles/debian/php-fpm.md | 67 +++++++++++++++++++ docs/roles/debian/php_xdebug.md | 2 +- roles/debian/nginx/README.md | 25 ++++++- roles/debian/nginx/defaults/main.yml | 23 +++++++ roles/debian/nginx/tasks/domain.yml | 59 +--------------- roles/debian/nginx/tasks/main.yml | 35 +++++----- roles/debian/nginx/tasks/ssl.yml | 63 +++++++++++++++++ roles/debian/nginx/templates/_common.j2 | 30 +++------ .../nginx/templates/_common_cloudfront.j2 | 10 +-- roles/debian/nginx/templates/nginx.conf.j2 | 4 +- roles/debian/php-cli/README.md | 45 +++++++++++++ roles/debian/php-cli/defaults/main.yml | 1 + roles/debian/php-cli/templates/php.cli.ini.j2 | 2 +- roles/debian/php-common/README.md | 19 ++++++ roles/debian/php-fpm/README.md | 67 +++++++++++++++++++ roles/debian/php-fpm/defaults/main.yml | 30 ++++++--- roles/debian/php-fpm/templates/php.fpm.ini.j2 | 6 +- .../php-fpm/templates/www.conf-fixedport.j2 | 10 ++- roles/debian/php-fpm/templates/www.conf.j2 | 11 ++- roles/debian/php_xdebug/README.md | 2 +- 24 files changed, 484 insertions(+), 119 deletions(-) create mode 100644 docs/roles/debian/php-cli.md create mode 100644 docs/roles/debian/php-common.md create mode 100644 docs/roles/debian/php-fpm.md create mode 100644 roles/debian/nginx/tasks/ssl.yml create mode 100644 roles/debian/php-cli/README.md create mode 100644 roles/debian/php-common/README.md create mode 100644 roles/debian/php-fpm/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 7e75973d1..fe73f6915 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -64,7 +64,10 @@ - [OpenVPN](/roles/debian/openvpn) - [OSSEC](/roles/debian/ossec) - [Packer](/roles/debian/packer) + - [PHP terminal client](/roles/debian/php-cli) + - [PHP common components](/roles/debian/php-common) - [PHP Composer](/roles/debian/php_composer) + - [PHP-FPM](/roles/debian/php-fpm) - [phpMyAdmin](/roles/debian/phpmyadmin) - [PHP XDebug](/roles/debian/php_xdebug) - [Postfix](/roles/debian/postfix) diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 4751e36bc..08130a46c 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -1,6 +1,6 @@ # NGINX -Install and configure the nginx webserver. +Install and configure the NGINX webserver. Note, the directives are mostly DENY FIRST so if you're expecting to find config that blocks a certain file extension or pattern you should consider it the other way and ensure that pattern is not *allowed* anywhere. @@ -29,6 +29,29 @@ nginx: access_log: /var/log/nginx-access.log error_log: /var/log/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" + sendfile: "on" + keepalive_timeout: 65 + gzip_vary: "on" + gzip_types: + - text/plain + - text/css + - text/xml + - text/javascript + - application/javascript + - application/x-javascript + - application/json + - application/xml + - application/xml+rss + - application/xhtml+xml + - application/x-font-ttf + - application/x-font-opentype + - image/svg+xml + - image/x-icon + proxy_buffer_size: 512k + proxy_buffers: "8 256k" + client_body_buffer_size: 512k + fastcgi_buffer_size: 512k + fastcgi_buffers: "8 256k" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/docs/roles/debian/php-cli.md b/docs/roles/debian/php-cli.md new file mode 100644 index 000000000..d8a9c8636 --- /dev/null +++ b/docs/roles/debian/php-cli.md @@ -0,0 +1,45 @@ +# PHP terminal client + +Installs and configures terminal client for PHP. + + + + + +## Default variables +```yaml +--- +php: + cli: + expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" + display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + engine: "On" + short_open_tag: "Off" + max_execution_time: 120 + max_input_time: 60 + max_input_nesting_level: 64 + max_input_vars: 1000 + memory_limit: -1 + log_errors_max_len: 1024 + ignore_repeated_errors: "Off" + ignore_repeated_source: "Off" + post_max_size: 200M + upload_max_filesize: 200M + max_file_uploads: 20 + date_timezone: "Europe/London" + gc_maxlifetime: 1440 + zend_assertions: -1 + overrides: {} + opcache: + enable: 1 + enable_cli: 0 + memory_consumption: 128 + max_accelerated_files: 2000 + validate_timestamps: 1 + +``` + + diff --git a/docs/roles/debian/php-common.md b/docs/roles/debian/php-common.md new file mode 100644 index 000000000..a0c7a71e3 --- /dev/null +++ b/docs/roles/debian/php-common.md @@ -0,0 +1,19 @@ +# PHP common components + +Installs and configures PHP core and required components. + + + + + +## Default variables +```yaml +--- +php: + version: + - 8.1 # see https://www.php.net/supported-versions.php + apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades + +``` + + diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md new file mode 100644 index 000000000..b9c0edbd7 --- /dev/null +++ b/docs/roles/debian/php-fpm.md @@ -0,0 +1,67 @@ +# PHP-FPM + +Installs and configures the PHP-FPM flavour of FastCGI. + + + + + +## Default variables +```yaml +--- +php: + # see php-common for default version + fpm: + # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + server_ip: "127.0.0.1" + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning + default_socket_timeout: 60 + max_children: 5 + start_servers: 2 + min_spare_servers: 1 + max_spare_servers: 3 + process_idle_timeout: 10s + max_requests: 500 + request_terminate_timeout: 0 + rlimit_core: 0 # Possible Values: 'unlimited' or an integer greater or equal to 0; Default Value: 0 + slow_log: true + request_slowlog_timeout: 0 + slowlog_file_directory: "/home/{{ user_deploy.username }}" + # PHP ini file settings + expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" + display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + engine: "On" + short_open_tag: "Off" + max_execution_time: 120 + max_input_time: 60 + max_input_nesting_level: 64 + max_input_vars: 1000 + memory_limit: 256M + log_errors_max_len: 1024 + ignore_repeated_errors: "Off" + ignore_repeated_source: "Off" + post_max_size: 200M + upload_max_filesize: 200M + max_file_uploads: 20 + date_timezone: "Europe/London" + gc_maxlifetime: 1440 + cookie_lifetime: 0 + zend_assertions: -1 + session_cookie_secure: "Off" + opcache: + enable: 1 + enable_cli: 0 + memory_consumption: 128 + max_accelerated_files: 2000 + validate_timestamps: 1 + +``` + + diff --git a/docs/roles/debian/php_xdebug.md b/docs/roles/debian/php_xdebug.md index 01429f1fe..f44ff859d 100644 --- a/docs/roles/debian/php_xdebug.md +++ b/docs/roles/debian/php_xdebug.md @@ -1,6 +1,6 @@ # PHP XDebug -Installs and configure XDebug extension for PHP +Installs and configures XDebug extension for PHP. diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 4751e36bc..08130a46c 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -1,6 +1,6 @@ # NGINX -Install and configure the nginx webserver. +Install and configure the NGINX webserver. Note, the directives are mostly DENY FIRST so if you're expecting to find config that blocks a certain file extension or pattern you should consider it the other way and ensure that pattern is not *allowed* anywhere. @@ -29,6 +29,29 @@ nginx: access_log: /var/log/nginx-access.log error_log: /var/log/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" + sendfile: "on" + keepalive_timeout: 65 + gzip_vary: "on" + gzip_types: + - text/plain + - text/css + - text/xml + - text/javascript + - application/javascript + - application/x-javascript + - application/json + - application/xml + - application/xml+rss + - application/xhtml+xml + - application/x-font-ttf + - application/x-font-opentype + - image/svg+xml + - image/x-icon + proxy_buffer_size: 512k + proxy_buffers: "8 256k" + client_body_buffer_size: 512k + fastcgi_buffer_size: 512k + fastcgi_buffers: "8 256k" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index f5288d2e1..f348f9eab 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -17,6 +17,29 @@ nginx: access_log: /var/log/nginx-access.log error_log: /var/log/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" + sendfile: "on" + keepalive_timeout: 65 + gzip_vary: "on" + gzip_types: + - text/plain + - text/css + - text/xml + - text/javascript + - application/javascript + - application/x-javascript + - application/json + - application/xml + - application/xml+rss + - application/xhtml+xml + - application/x-font-ttf + - application/x-font-opentype + - image/svg+xml + - image/x-icon + proxy_buffer_size: 512k + proxy_buffers: "8 256k" + client_body_buffer_size: 512k + fastcgi_buffer_size: 512k + fastcgi_buffers: "8 256k" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index 57c7d7b9e..3da1f900b 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -1,61 +1,4 @@ --- -- name: Temporarily place a vhost for LetsEncrypt to work. - ansible.builtin.template: - src: vhost_letsencrypt.j2 - dest: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - owner: root - group: root - mode: 0644 - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 - -- name: Enable vhost. - ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" - state: link - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 - -- name: Reload the nginx service. - ansible.builtin.service: - name: nginx - state: reloaded - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 - -- name: Generates SSL keys. - ansible.builtin.include_role: - name: debian/ssl - public: true - when: domain.ssl is defined - vars: - ssl: "{{ domain.ssl }}" - -- name: Delete the link to the vhost for LetsEncrypt. - ansible.builtin.file: - path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" - state: absent - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 - -- name: Delete the temporary vhost for LetsEncrypt. - ansible.builtin.file: - path: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - state: absent - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 - # If auth_enabled is defined and yes, and auth_pass is not defined or is defined but empty, generate a random password. - name: Generate random htauth password. ansible.builtin.set_fact: @@ -119,12 +62,14 @@ owner: root group: root mode: 0644 + force: true - name: Enable vhost. ansible.builtin.file: src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" state: link + force: true - name: Generates AWS Cloudwatch vhost config. ansible.builtin.template: diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 384fd1dad..65f2ae662 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Ensure nginx is installed. +- name: Ensure NGINX is installed. ansible.builtin.apt: name: nginx state: present @@ -29,13 +29,14 @@ packages: - name: passlib -- name: Copy main nginx config. +- name: Copy main NGINX config. ansible.builtin.template: src: nginx.conf.j2 dest: "/etc/nginx/nginx.conf" owner: root group: root mode: 0644 + force: true - name: Ensure passwords directory exists. ansible.builtin.file: @@ -75,17 +76,10 @@ path: "/var/log/nginx" state: directory -- name: Remove existing vhosts - ansible.builtin.file: - path: "/etc/nginx/sites-enabled" - state: absent - when: nginx.recreate_vhosts - -- name: Recreate vhosts folder +- name: Ensure vhosts folder is present. ansible.builtin.file: path: "/etc/nginx/sites-enabled" state: directory - when: nginx.recreate_vhosts - name: Check if we have an AWS Cloudwatch folder. ansible.builtin.stat: @@ -96,9 +90,20 @@ ansible.builtin.template: src: cloudwatch-main.json.j2 dest: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/nginx-main.json + force: true when: - _nginx_cloudwatch_dir.stat.isdir is defined and _nginx_cloudwatch_dir.stat.isdir +- name: Generate SSL certificates. + ansible.builtin.include_tasks: ssl.yml + with_items: "{{ nginx.domains }}" + loop_control: + loop_var: domain + when: + - nginx.domains is defined + - nginx.domains | length > 0 + - nginx.recreate_vhosts + - name: Generate domain specific configuration. ansible.builtin.include_tasks: domain.yml with_items: "{{ nginx.domains }}" @@ -118,21 +123,21 @@ - nginx.overrides is defined - nginx.overrides | length > 0 -- name: Test Nginx configuration. +- name: Test NGINX configuration. ansible.builtin.command: nginx -t register: nginx_test_result failed_when: false -- name: Display Nginx test result. +- name: Display NGINX test result. ansible.builtin.debug: msg: "{{ nginx_test_result.stderr }}" -- name: Fail the playbook if Nginx test fails. +- name: Fail the playbook if NGINX test fails. ansible.builtin.fail: - msg: "Nginx configuration test failed." + msg: "NGINX configuration test failed." when: nginx_test_result.rc != 0 -- name: Ensure Nginx is restarted. +- name: Ensure NGINX is restarted. ansible.builtin.service: name: nginx state: restarted diff --git a/roles/debian/nginx/tasks/ssl.yml b/roles/debian/nginx/tasks/ssl.yml new file mode 100644 index 000000000..d5a755077 --- /dev/null +++ b/roles/debian/nginx/tasks/ssl.yml @@ -0,0 +1,63 @@ +--- +# If there is an existing vhost it will have LE proxy handling already. +- name: Check for an existing vhost. + ansible.builtin.stat: + path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" + register: _nginx_vhost_link + +- name: Temporarily place a vhost for LetsEncrypt to work. + ansible.builtin.template: + src: vhost_letsencrypt.j2 + dest: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + owner: root + group: root + mode: 0644 + when: + - domain.ssl is defined + - domain.ssl.handling == 'letsencrypt' + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + +- name: Enable vhost. + ansible.builtin.file: + src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" + state: link + when: + - domain.ssl is defined + - domain.ssl.handling == 'letsencrypt' + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + +- name: Reload the nginx service. + ansible.builtin.service: + name: nginx + state: reloaded + when: + - domain.ssl is defined + - domain.ssl.handling == 'letsencrypt' + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + +- name: Generates SSL keys. + ansible.builtin.include_role: + name: debian/ssl + public: true + when: domain.ssl is defined + vars: + ssl: "{{ domain.ssl }}" + +- name: Delete the link to the vhost for LetsEncrypt. + ansible.builtin.file: + path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" + state: absent + when: + - domain.ssl is defined + - domain.ssl.handling == 'letsencrypt' + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + +- name: Delete the temporary vhost for LetsEncrypt. + ansible.builtin.file: + path: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + state: absent + when: + - domain.ssl is defined + - domain.ssl.handling == 'letsencrypt' + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 diff --git a/roles/debian/nginx/templates/_common.j2 b/roles/debian/nginx/templates/_common.j2 index 1df746267..79b1b114c 100644 --- a/roles/debian/nginx/templates/_common.j2 +++ b/roles/debian/nginx/templates/_common.j2 @@ -5,30 +5,20 @@ gzip_proxied any; gzip_static on; gzip_http_version 1.0; gzip_disable "MSIE [1-6]\."; -gzip_vary on; +gzip_vary {{ nginx.http.gzip_vary }}; gzip_comp_level 6; gzip_types - text/plain - text/css - text/xml - text/javascript - application/javascript - application/x-javascript - application/json - application/xml - application/xml+rss - application/xhtml+xml - application/x-font-ttf - application/x-font-opentype - image/svg+xml - image/x-icon; +{% for gzip_type in nginx.http.gzip_types %} + {{ gzip_type }}{% if loop.last %};{% endif %} + +{% endfor %} gzip_buffers 16 8k; gzip_min_length 512; -proxy_buffer_size 512k; -proxy_buffers 8 256k; -client_body_buffer_size 512k; -fastcgi_buffer_size 512k ; -fastcgi_buffers 8 256k ; +proxy_buffer_size {{ nginx.http.proxy_buffer_size }}; +proxy_buffers {{ nginx.http.proxy_buffers }}; +client_body_buffer_size {{ nginx.http.client_body_buffer_size }}; +fastcgi_buffer_size {{ nginx.http.fastcgi_buffer_size }} ; +fastcgi_buffers {{ nginx.http.fastcgi_buffers }} ; client_max_body_size {{ nginx.client_max_body_size }} ; # Disable content sniffing, since it's an attack vector. add_header X-Content-Type-Options nosniff; \ No newline at end of file diff --git a/roles/debian/nginx/templates/_common_cloudfront.j2 b/roles/debian/nginx/templates/_common_cloudfront.j2 index d3f395088..f448699e0 100644 --- a/roles/debian/nginx/templates/_common_cloudfront.j2 +++ b/roles/debian/nginx/templates/_common_cloudfront.j2 @@ -1,11 +1,11 @@ ### {{ ansible_managed }} gzip off; -proxy_buffer_size 512k; -proxy_buffers 8 256k; -client_body_buffer_size 512k; -fastcgi_buffer_size 512k ; -fastcgi_buffers 8 256k ; +proxy_buffer_size {{ nginx.http.proxy_buffer_size }}; +proxy_buffers {{ nginx.http.proxy_buffers }}; +client_body_buffer_size {{ nginx.http.client_body_buffer_size }}; +fastcgi_buffer_size {{ nginx.http.fastcgi_buffer_size }} ; +fastcgi_buffers {{ nginx.http.fastcgi_buffers }} ; client_max_body_size {{ nginx.client_max_body_size }} ; # Disable content sniffing, since it's an attack vector. add_header X-Content-Type-Options nosniff; \ No newline at end of file diff --git a/roles/debian/nginx/templates/nginx.conf.j2 b/roles/debian/nginx/templates/nginx.conf.j2 index 251e0dff5..f64cad774 100644 --- a/roles/debian/nginx/templates/nginx.conf.j2 +++ b/roles/debian/nginx/templates/nginx.conf.j2 @@ -14,10 +14,10 @@ http { # Basic Settings ## - sendfile on; + sendfile {{ nginx.http.sendfile }}; tcp_nopush on; tcp_nodelay on; - keepalive_timeout 65; + keepalive_timeout {{ nginx.http.keepalive_timeout }}; types_hash_max_size 2048; server_tokens off; diff --git a/roles/debian/php-cli/README.md b/roles/debian/php-cli/README.md new file mode 100644 index 000000000..d8a9c8636 --- /dev/null +++ b/roles/debian/php-cli/README.md @@ -0,0 +1,45 @@ +# PHP terminal client + +Installs and configures terminal client for PHP. + + + + + +## Default variables +```yaml +--- +php: + cli: + expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" + display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + engine: "On" + short_open_tag: "Off" + max_execution_time: 120 + max_input_time: 60 + max_input_nesting_level: 64 + max_input_vars: 1000 + memory_limit: -1 + log_errors_max_len: 1024 + ignore_repeated_errors: "Off" + ignore_repeated_source: "Off" + post_max_size: 200M + upload_max_filesize: 200M + max_file_uploads: 20 + date_timezone: "Europe/London" + gc_maxlifetime: 1440 + zend_assertions: -1 + overrides: {} + opcache: + enable: 1 + enable_cli: 0 + memory_consumption: 128 + max_accelerated_files: 2000 + validate_timestamps: 1 + +``` + + diff --git a/roles/debian/php-cli/defaults/main.yml b/roles/debian/php-cli/defaults/main.yml index 2e7efbeaa..797be3626 100644 --- a/roles/debian/php-cli/defaults/main.yml +++ b/roles/debian/php-cli/defaults/main.yml @@ -21,6 +21,7 @@ php: max_file_uploads: 20 date_timezone: "Europe/London" gc_maxlifetime: 1440 + zend_assertions: -1 overrides: {} opcache: enable: 1 diff --git a/roles/debian/php-cli/templates/php.cli.ini.j2 b/roles/debian/php-cli/templates/php.cli.ini.j2 index abdcaba6c..19230f2c4 100644 --- a/roles/debian/php-cli/templates/php.cli.ini.j2 +++ b/roles/debian/php-cli/templates/php.cli.ini.j2 @@ -1526,7 +1526,7 @@ url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" ; Development Value: 1 ; Production Value: -1 ; http://php.net/zend.assertions -zend.assertions = -1 +zend.assertions = {{ php.cli.zend_assertions }} ; Assert(expr); active by default. ; http://php.net/assert.active diff --git a/roles/debian/php-common/README.md b/roles/debian/php-common/README.md new file mode 100644 index 000000000..a0c7a71e3 --- /dev/null +++ b/roles/debian/php-common/README.md @@ -0,0 +1,19 @@ +# PHP common components + +Installs and configures PHP core and required components. + + + + + +## Default variables +```yaml +--- +php: + version: + - 8.1 # see https://www.php.net/supported-versions.php + apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades + +``` + + diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md new file mode 100644 index 000000000..b9c0edbd7 --- /dev/null +++ b/roles/debian/php-fpm/README.md @@ -0,0 +1,67 @@ +# PHP-FPM + +Installs and configures the PHP-FPM flavour of FastCGI. + + + + + +## Default variables +```yaml +--- +php: + # see php-common for default version + fpm: + # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + server_ip: "127.0.0.1" + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning + default_socket_timeout: 60 + max_children: 5 + start_servers: 2 + min_spare_servers: 1 + max_spare_servers: 3 + process_idle_timeout: 10s + max_requests: 500 + request_terminate_timeout: 0 + rlimit_core: 0 # Possible Values: 'unlimited' or an integer greater or equal to 0; Default Value: 0 + slow_log: true + request_slowlog_timeout: 0 + slowlog_file_directory: "/home/{{ user_deploy.username }}" + # PHP ini file settings + expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" + display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" + engine: "On" + short_open_tag: "Off" + max_execution_time: 120 + max_input_time: 60 + max_input_nesting_level: 64 + max_input_vars: 1000 + memory_limit: 256M + log_errors_max_len: 1024 + ignore_repeated_errors: "Off" + ignore_repeated_source: "Off" + post_max_size: 200M + upload_max_filesize: 200M + max_file_uploads: 20 + date_timezone: "Europe/London" + gc_maxlifetime: 1440 + cookie_lifetime: 0 + zend_assertions: -1 + session_cookie_secure: "Off" + opcache: + enable: 1 + enable_cli: 0 + memory_consumption: 128 + max_accelerated_files: 2000 + validate_timestamps: 1 + +``` + + diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 909b34e3a..ab3590a16 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -2,8 +2,26 @@ php: # see php-common for default version fpm: + # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + server_ip: "127.0.0.1" tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning + default_socket_timeout: 60 + max_children: 5 + start_servers: 2 + min_spare_servers: 1 + max_spare_servers: 3 + process_idle_timeout: 10s + max_requests: 500 + request_terminate_timeout: 0 + rlimit_core: 0 # Possible Values: 'unlimited' or an integer greater or equal to 0; Default Value: 0 + slow_log: true + request_slowlog_timeout: 0 + slowlog_file_directory: "/home/{{ user_deploy.username }}" + # PHP ini file settings expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" @@ -23,16 +41,10 @@ php: upload_max_filesize: 200M max_file_uploads: 20 date_timezone: "Europe/London" - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user - default_socket_timeout: 60 - max_children: 5 - start_servers: 2 - min_spare_servers: 1 - max_spare_servers: 3 - process_idle_timeout: 10s - max_requests: 500 gc_maxlifetime: 1440 + cookie_lifetime: 0 + zend_assertions: -1 + session_cookie_secure: "Off" opcache: enable: 1 enable_cli: 0 diff --git a/roles/debian/php-fpm/templates/php.fpm.ini.j2 b/roles/debian/php-fpm/templates/php.fpm.ini.j2 index b4d1185d9..c6a1a0361 100644 --- a/roles/debian/php-fpm/templates/php.fpm.ini.j2 +++ b/roles/debian/php-fpm/templates/php.fpm.ini.j2 @@ -1318,7 +1318,7 @@ session.use_strict_mode = 0 session.use_cookies = 1 ; http://php.net/session.cookie-secure -session.cookie_secure = Off +session.cookie_secure = {{ php.fpm.session_cookie_secure }} ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating @@ -1337,7 +1337,7 @@ session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. ; http://php.net/session.cookie-lifetime -session.cookie_lifetime = 0 +session.cookie_lifetime = {{ php.fpm.cookie_lifetime }} ; The path for which the cookie is valid. ; http://php.net/session.cookie-path @@ -1526,7 +1526,7 @@ url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" ; Development Value: 1 ; Production Value: -1 ; http://php.net/zend.assertions -zend.assertions = -1 +zend.assertions = {{ php.fpm.zend_assertions }} ; Assert(expr); active by default. ; http://php.net/assert.active diff --git a/roles/debian/php-fpm/templates/www.conf-fixedport.j2 b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 index 7d986a2b5..b8a0a8e7a 100755 --- a/roles/debian/php-fpm/templates/www.conf-fixedport.j2 +++ b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 @@ -1,7 +1,8 @@ [www] user = {{ php.fpm.pool_user }} group = {{ php.fpm.pool_group }} -listen = 127.0.0.1:{{ php.fpm.tcp_port }} +listen = {{ php.fpm.server_ip }}:{{ php.fpm.tcp_port }} + listen.owner = {{ php.fpm.pool_user }} listen.group = {{ php.fpm.pool_group }} pm = dynamic @@ -11,3 +12,10 @@ pm.min_spare_servers = {{ php.fpm.min_spare_servers }} pm.max_spare_servers = {{ php.fpm.max_spare_servers }} pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} pm.max_requests = {{ php.fpm.max_requests }} + +request_terminate_timeout = {{ php.fpm.request_terminate_timeout }} +rlimit_core = {{ php.fpm.rlimit_core }} +{% if php.fpm.slow_log %} +request_slowlog_timeout = {{ php.fpm.request_slowlog_timeout }} +slowlog = {{ php.fpm.slowlog_file_directory }}/php{{ php.version[0] }}-fpm.slow.log +{% endif %} diff --git a/roles/debian/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 index fb10d2865..7f5d4eeb5 100755 --- a/roles/debian/php-fpm/templates/www.conf.j2 +++ b/roles/debian/php-fpm/templates/www.conf.j2 @@ -1,14 +1,21 @@ [www] user = {{ php.fpm.pool_user }} group = {{ php.fpm.pool_group }} -listen = {% if php.fpm.unix_socket %}'/var/run/php{{ version | replace('.','') }}-fpm.sock'{% else %}127.0.0.1:90{{ version | replace('.','') }}{% endif %} +listen = {% if php.fpm.unix_socket %}'/var/run/php{{ version | replace('.','') }}-fpm.sock'{% else %}{{ php.fpm.server_ip }}:90{{ version | replace('.','') }}{% endif %} listen.owner = {{ php.fpm.pool_user }} listen.group = {{ php.fpm.pool_group }} -pm = dynamic +pm = {{ php.fpm.pm }} pm.max_children = {{ php.fpm.max_children }} pm.start_servers = {{ php.fpm.start_servers }} pm.min_spare_servers = {{ php.fpm.min_spare_servers }} pm.max_spare_servers = {{ php.fpm.max_spare_servers }} pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} pm.max_requests = {{ php.fpm.max_requests }} + +request_terminate_timeout = {{ php.fpm.request_terminate_timeout }} +rlimit_core = {{ php.fpm.rlimit_core }} +{% if php.fpm.slow_log %} +request_slowlog_timeout = {{ php.fpm.request_slowlog_timeout }} +slowlog = {{ php.fpm.slowlog_file_directory }}/php{{ version }}-fpm.slow.log +{% endif %} diff --git a/roles/debian/php_xdebug/README.md b/roles/debian/php_xdebug/README.md index 01429f1fe..f44ff859d 100644 --- a/roles/debian/php_xdebug/README.md +++ b/roles/debian/php_xdebug/README.md @@ -1,6 +1,6 @@ # PHP XDebug -Installs and configure XDebug extension for PHP +Installs and configures XDebug extension for PHP. From 02de7d59ad783166e2b4253e1d256a0241d2e277 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 4 Apr 2024 13:57:37 +0200 Subject: [PATCH 099/331] Fixing timer backup job for LDAP servers. (#1574) --- docs/roles/debian/ldap_server.md | 2 ++ roles/debian/ldap_server/README.md | 2 ++ roles/debian/ldap_server/defaults/main.yml | 2 ++ roles/debian/ldap_server/tasks/main.yml | 4 ++-- roles/debian/ldap_server/templates/slap-bak.j2 | 10 +++++----- 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/roles/debian/ldap_server.md b/docs/roles/debian/ldap_server.md index 2bcd0b378..62421b9be 100644 --- a/docs/roles/debian/ldap_server.md +++ b/docs/roles/debian/ldap_server.md @@ -82,6 +82,8 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak + backup_script: /usr/local/bin/slap-bak # full filename of the backup script + slapcat_path: /usr/sbin # path to the location of slapcat on the server on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. diff --git a/roles/debian/ldap_server/README.md b/roles/debian/ldap_server/README.md index 2bcd0b378..62421b9be 100644 --- a/roles/debian/ldap_server/README.md +++ b/roles/debian/ldap_server/README.md @@ -82,6 +82,8 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak + backup_script: /usr/local/bin/slap-bak # full filename of the backup script + slapcat_path: /usr/sbin # path to the location of slapcat on the server on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. diff --git a/roles/debian/ldap_server/defaults/main.yml b/roles/debian/ldap_server/defaults/main.yml index 249fff7ec..6924e7741 100644 --- a/roles/debian/ldap_server/defaults/main.yml +++ b/roles/debian/ldap_server/defaults/main.yml @@ -16,6 +16,8 @@ ldap_server: purge: false backup: false # set to true to create local backups of LDAP backup_path: /opt/slap-bak + backup_script: /usr/local/bin/slap-bak # full filename of the backup script + slapcat_path: /usr/sbin # path to the location of slapcat on the server on_calendar: "*-*-* 23:45:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events # TLS settings in LDAP are not separately handled, you need to manually set it up or use the config import feature. # If you use 'manual' SSL handling you need to provide a separate CA certificate. diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index e9a2ae55c..709e454a0 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -169,7 +169,7 @@ - name: Create the slapd backup script. ansible.builtin.template: src: slap-bak.j2 - dest: /usr/local/bin/slap-bak + dest: "{{ ldap_server.config.backup_script }}" owner: root group: root mode: 0755 @@ -181,6 +181,6 @@ vars: timers: slapd_backups: - timer_command: "/usr/local/bin/slap-bak && find /opt/slap-bak/ -type f -mtime +60 -print0 | xargs -0 -r rm" + timer_command: "{{ ldap_server.config.backup_script }} &> ldap-backup-$( date +%y%m%d-%H%M ).log && find {{ ldap_server.config.backup_path }}/ -type f -mtime +60 -print0 | xargs -0 -r rm" timer_OnCalendar: "{{ ldap_server.config.on_calendar }}" when: ldap_server.config.backup diff --git a/roles/debian/ldap_server/templates/slap-bak.j2 b/roles/debian/ldap_server/templates/slap-bak.j2 index 6ab8b38f2..759107f86 100644 --- a/roles/debian/ldap_server/templates/slap-bak.j2 +++ b/roles/debian/ldap_server/templates/slap-bak.j2 @@ -1,11 +1,11 @@ #!/bin/sh BACKUPDIR="{{ ldap_server.config.backup_path }}" -mkdir -p "$BACKUPDIR" +/usr/bin/mkdir -p "$BACKUPDIR" CONFIG_LDAPBK="ldap-config-$( date +%y%m%d-%H%M ).ldif" -slapcat -n 0 > "$BACKUPDIR/$CONFIG_LDAPBK" -gzip -9 "$BACKUPDIR/$CONFIG_LDAPBK" +{{ ldap_server.config.slapcat_path }}/slapcat -n 0 > "$BACKUPDIR/$CONFIG_LDAPBK" +/usr/bin/gzip -9 "$BACKUPDIR/$CONFIG_LDAPBK" DATA_LDAPBK="ldap-data-$( date +%y%m%d-%H%M ).ldif" -slapcat -n 1 > "$BACKUPDIR/$DATA_LDAPBK" -gzip -9 "$BACKUPDIR/$DATA_LDAPBK" +{{ ldap_server.config.slapcat_path }}/slapcat -n 1 > "$BACKUPDIR/$DATA_LDAPBK" +/usr/bin/gzip -9 "$BACKUPDIR/$DATA_LDAPBK" From 4c8b3198f4b0f3bf4509aecb6cd47a4765a41d2c Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 4 Apr 2024 16:46:31 +0200 Subject: [PATCH 100/331] Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. --- roles/debian/ldap_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 709e454a0..0ad8fcde6 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -181,6 +181,6 @@ vars: timers: slapd_backups: - timer_command: "{{ ldap_server.config.backup_script }} &> ldap-backup-$( date +%y%m%d-%H%M ).log && find {{ ldap_server.config.backup_path }}/ -type f -mtime +60 -print0 | xargs -0 -r rm" + timer_command: "{{ ldap_server.config.backup_script }} &> {{ ldap_server.config.backup_path }}/ldap-backup-$( date +%y%m%d-%H%M ).log && find {{ ldap_server.config.backup_path }}/ -type f -mtime +60 -print0 | xargs -0 -r rm" timer_OnCalendar: "{{ ldap_server.config.on_calendar }}" when: ldap_server.config.backup From c4ed98ed4549c9356f79e2f1183878194e82a133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 4 Apr 2024 17:15:50 +0200 Subject: [PATCH 101/331] Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar --- .../aws/aws_ami_asg_cleanup/defaults/main.yml | 7 +++ roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 55 +++++++++++++++++++ .../templates/assume_lambda_iam_policy.j2 | 12 ++++ .../templates/cleanup_ami.py.j2 | 27 +++++++++ .../aws_ec2_autoscale_cluster/tasks/main.yml | 4 ++ 5 files changed, 105 insertions(+) create mode 100644 roles/aws/aws_ami_asg_cleanup/defaults/main.yml create mode 100644 roles/aws/aws_ami_asg_cleanup/tasks/main.yml create mode 100644 roles/aws/aws_ami_asg_cleanup/templates/assume_lambda_iam_policy.j2 create mode 100644 roles/aws/aws_ami_asg_cleanup/templates/cleanup_ami.py.j2 diff --git a/roles/aws/aws_ami_asg_cleanup/defaults/main.yml b/roles/aws/aws_ami_asg_cleanup/defaults/main.yml new file mode 100644 index 000000000..9ddead478 --- /dev/null +++ b/roles/aws/aws_ami_asg_cleanup/defaults/main.yml @@ -0,0 +1,7 @@ +aws_ami_asg_cleanup: + memory_size: 128 # Memory allocation for Lambda function in MB + timeout: 30 # Time in seconds, max is 900 + handler: "clean_up_ami.lambda_handler" # Change this only if the main_file.main_function name is changed + runtime: "python3.12" # If the python version changes we need to update this as well + keep_backups: 10 + scheduler_cron: "cron(0 16 ? * SUN *)" diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml new file mode 100644 index 000000000..ce90e52ed --- /dev/null +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -0,0 +1,55 @@ +--- +- name: Create a role and attach policies + amazon.aws.iam_role: + name: LambdaAsgAmiCleanupRole + assume_role_policy_document: "{{ lookup('file', 'assume_lambda_iam_policy.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/AmazonEC2FullAccess + - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess + register: _created_iam_lambda_cleanup_role + +- name: Ensure python script is removed + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/clean_up_ami.py" + state: absent + +- name: Ensure zip file is removed + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" + state: absent + +- name: Write Lambda function + ansible.builtin.template: + src: cleanup_ami.py.j2 + dest: "{{ _ce_provision_build_dir }}/clean_up_ami.py" + +- name: Create a zip archive of cleanup_ami.py + community.general.archive: + path: "{{ _ce_provision_build_dir }}/clean_up_ami.py" + dest: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" + format: zip + +- name: Create Lambda function + amazon.aws.lambda: + name: "clean_up_ami" + region: "{{ _aws_region }}" + timeout: "{{ aws_ami_asg_cleanup.timeout }}" + state: present + zip_file: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" + runtime: "{{ aws_ami_asg_cleanup.runtime }}" + role: "{{ _created_iam_lambda_cleanup_role.iam_role.arn }}" + handler: '{{ aws_ami_asg_cleanup.handler }}' + tags: + Test: 'This is test tag' + register: _created_iam_lambda_cleanup_function + +- name: Create scheduler to invoke Lambda function + amazon.aws.cloudwatchevent_rule: + name: cleanup_asg_ami + schedule_expression: "{{ aws_ami_asg_cleanup.scheduler_cron }}" + description: Clean up ASG AMIs + region: "{{ _aws_region }}" + targets: + - id: 'clean_up_ami' + arn: "{{ _created_iam_lambda_cleanup_function.configuration.function_arn }}" + input: '{"asg_name": "{{ _domain_name | regex_replace("\.", "-") }}"}' diff --git a/roles/aws/aws_ami_asg_cleanup/templates/assume_lambda_iam_policy.j2 b/roles/aws/aws_ami_asg_cleanup/templates/assume_lambda_iam_policy.j2 new file mode 100644 index 000000000..fd267525d --- /dev/null +++ b/roles/aws/aws_ami_asg_cleanup/templates/assume_lambda_iam_policy.j2 @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/roles/aws/aws_ami_asg_cleanup/templates/cleanup_ami.py.j2 b/roles/aws/aws_ami_asg_cleanup/templates/cleanup_ami.py.j2 new file mode 100644 index 000000000..a11bb9e3c --- /dev/null +++ b/roles/aws/aws_ami_asg_cleanup/templates/cleanup_ami.py.j2 @@ -0,0 +1,27 @@ +import json +import boto3 + +def lambda_handler(event, context): + ec2 = boto3.client("ec2", "{{ _aws_region }}") + + images = ec2.describe_images( + Filters=[ + { + 'Name': 'tag:Name', + 'Values': [ + event['asg_name'] + '*' + ] + } + ] + ) + + # Order AMIs by CreationDate + ordered_images = sorted(images['Images'], key=lambda d: d['CreationDate']) + + # Remove latest 10 AMIs from list + ordered_images = ordered_images[:len(ordered_images)-{{ aws_ami_asg_cleanup.keep_backups }}] + + for x in ordered_images: + ec2.deregister_image(ImageId=x['ImageId']) + + print(len(ordered_images)) diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 9f29692ff..dd9172cc0 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -291,6 +291,10 @@ - aws_ec2_autoscale_cluster.type == "ec2" - aws_ec2_autoscale_cluster.deploy_cluster +- name: Create ami cleanup function + ansible.builtin.include_role: + name: aws/aws_ami_asg_cleanup + - name: Gather IAM role info. amazon.aws.iam_role_info: profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" From 37f0157781aa9f5f0e2c2ab4747e9f572233d001 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 4 Apr 2024 18:40:24 +0200 Subject: [PATCH 102/331] Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index ce90e52ed..fefa73bb0 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -45,7 +45,7 @@ - name: Create scheduler to invoke Lambda function amazon.aws.cloudwatchevent_rule: - name: cleanup_asg_ami + name: "cleanup_asg_ami_{{ _domain_name }}" schedule_expression: "{{ aws_ami_asg_cleanup.scheduler_cron }}" description: Clean up ASG AMIs region: "{{ _aws_region }}" From c3ae7e7ac2aeb7fc042f83182fb55793f3cf5d0e Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Fri, 5 Apr 2024 10:46:56 +0300 Subject: [PATCH 103/331] r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks --- roles/debian/nginx/defaults/main.yml | 2 + roles/debian/nginx/tasks/domain.yml | 91 +++++++++---------- roles/debian/nginx/tasks/main.yml | 2 +- roles/debian/nginx/tasks/ssl.yml | 69 ++++++-------- roles/debian/nginx/templates/_common.j2 | 2 +- .../nginx/templates/_common_cloudfront.j2 | 11 --- roles/debian/nginx/templates/drupal10.j2 | 14 ++- roles/debian/nginx/templates/drupal_common.j2 | 11 ++- .../nginx/templates/vhost_letsencrypt.j2 | 2 +- roles/debian/nginx/templates/vhosts.j2 | 4 - 10 files changed, 98 insertions(+), 110 deletions(-) delete mode 100644 roles/debian/nginx/templates/_common_cloudfront.j2 diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index f348f9eab..dc18d90ba 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -40,6 +40,8 @@ nginx: client_body_buffer_size: 512k fastcgi_buffer_size: 512k fastcgi_buffers: "8 256k" + cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" + cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index 3da1f900b..be355855e 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -1,59 +1,54 @@ --- -# If auth_enabled is defined and yes, and auth_pass is not defined or is defined but empty, generate a random password. -- name: Generate random htauth password. - ansible.builtin.set_fact: - _nginx_htauth_pass: "{{ lookup('password', _ce_provision_data_dir + '/' + inventory_hostname + '/nginx-passwords/' + domain.server_name) }}" +- name: Set up basic auth. when: - domain.basic_auth.auth_enabled is defined - domain.basic_auth.auth_enabled - - domain.basic_auth.auth_pass is not defined or domain.basic_auth.auth_pass | length == 0 + block: + # If auth_enabled is defined and yes, and auth_pass is not defined or is defined but empty, generate a random password. + - name: Generate random htauth password. + ansible.builtin.set_fact: + _nginx_htauth_pass: "{{ lookup('password', _ce_provision_data_dir + '/' + inventory_hostname + '/nginx-passwords/' + domain.server_name) }}" + when: + - domain.basic_auth.auth_pass is not defined or domain.basic_auth.auth_pass | length == 0 -# If auth_enabled is defined and yes, and auth_pass is defined and not empty, use that password instead. -- name: Set fact if htauth password is provided. - ansible.builtin.set_fact: - _nginx_htauth_pass: "{{ domain.basic_auth.auth_pass }}" - when: - - domain.basic_auth.auth_enabled is defined - - domain.basic_auth.auth_enabled - - domain.basic_auth.auth_pass is defined - - domain.basic_auth.auth_pass | length > 0 + # If auth_enabled is defined and yes, and auth_pass is defined and not empty, use that password instead. + - name: Set fact if htauth password is provided. + ansible.builtin.set_fact: + _nginx_htauth_pass: "{{ domain.basic_auth.auth_pass }}" + when: + - domain.basic_auth.auth_pass is defined + - domain.basic_auth.auth_pass | length > 0 -- name: Print basic htauth password. - ansible.builtin.debug: - msg: Basic auth password is {{ _nginx_htauth_pass }} - when: - - domain.basic_auth.auth_enabled is defined - - domain.basic_auth.auth_enabled - - _nginx_htauth_pass is defined + - name: Print basic htauth password. + ansible.builtin.debug: + msg: Basic auth password is {{ _nginx_htauth_pass }} + when: + - _nginx_htauth_pass is defined -# Create a basic htauth file if a username is supplied. -- name: Create basic htauth file. - community.general.web_infrastructure.htpasswd: - path: "/etc/nginx/passwords/{{ domain.server_name }}.htpasswd" - name: "{{ domain.basic_auth.auth_user }}" - password: "{{ _nginx_htauth_pass }}" - owner: root - group: root - mode: 0644 - when: - - domain.basic_auth.auth_enabled is defined - - domain.basic_auth.auth_enabled - - domain.basic_auth.auth_user is defined - - domain.basic_auth.auth_user | length > 0 + # Create a basic htauth file if a username is supplied. + - name: Create basic htauth file. + community.general.web_infrastructure.htpasswd: + path: "/etc/nginx/passwords/{{ domain.server_name }}.htpasswd" + name: "{{ domain.basic_auth.auth_user }}" + password: "{{ _nginx_htauth_pass }}" + owner: root + group: root + mode: 0644 + when: + - domain.basic_auth.auth_user is defined + - domain.basic_auth.auth_user | length > 0 -# Place provided basic htauth file if a path is supplied. -- name: Copy basic htauth file to server. - ansible.builtin.copy: - src: "{{ domain.basic_auth.auth_file }}" - dest: "/etc/nginx/passwords/{{ domain.server_name }}.provided.htpasswd" - owner: root - group: root - mode: 0644 - when: - - domain.basic_auth.auth_enabled is defined - - domain.basic_auth.auth_enabled - - domain.basic_auth.auth_file is defined - - domain.basic_auth.auth_file | length > 0 + # Place provided basic htauth file if a path is supplied. + - name: Copy basic htauth file to server. + ansible.builtin.copy: + src: "{{ domain.basic_auth.auth_file }}" + dest: "/etc/nginx/passwords/{{ domain.server_name }}.provided.htpasswd" + owner: root + group: root + mode: 0644 + when: + - domain.basic_auth.auth_file is defined + - domain.basic_auth.auth_file | length > 0 - name: Copy vhost in place. ansible.builtin.template: diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 65f2ae662..04c2bbc3e 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -54,7 +54,6 @@ force: true with_items: - _common - - _common_cloudfront - custom - docker_registry - drupal_common @@ -100,6 +99,7 @@ loop_control: loop_var: domain when: + - domain.ssl is defined - nginx.domains is defined - nginx.domains | length > 0 - nginx.recreate_vhosts diff --git a/roles/debian/nginx/tasks/ssl.yml b/roles/debian/nginx/tasks/ssl.yml index d5a755077..518aa7fc6 100644 --- a/roles/debian/nginx/tasks/ssl.yml +++ b/roles/debian/nginx/tasks/ssl.yml @@ -5,59 +5,48 @@ path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" register: _nginx_vhost_link -- name: Temporarily place a vhost for LetsEncrypt to work. - ansible.builtin.template: - src: vhost_letsencrypt.j2 - dest: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - owner: root - group: root - mode: 0644 +- name: LetsEncrypt create vhosts. when: - - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + block: + - name: Temporarily place a vhost for LetsEncrypt to work. + ansible.builtin.template: + src: vhost_letsencrypt.j2 + dest: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + owner: root + group: root + mode: 0644 -- name: Enable vhost. - ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" - state: link - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + - name: Enable vhost. + ansible.builtin.file: + src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" + state: link -- name: Reload the nginx service. - ansible.builtin.service: - name: nginx - state: reloaded - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + - name: Reload the nginx service. + ansible.builtin.service: + name: nginx + state: reloaded - name: Generates SSL keys. ansible.builtin.include_role: name: debian/ssl public: true - when: domain.ssl is defined vars: ssl: "{{ domain.ssl }}" -- name: Delete the link to the vhost for LetsEncrypt. - ansible.builtin.file: - path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" - state: absent +- name: LetsEncrypt cleanup vhosts. when: - - domain.ssl is defined - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + block: + - name: Delete the link to the vhost for LetsEncrypt. + ansible.builtin.file: + path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" + state: absent -- name: Delete the temporary vhost for LetsEncrypt. - ansible.builtin.file: - path: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" - state: absent - when: - - domain.ssl is defined - - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 + - name: Delete the temporary vhost for LetsEncrypt. + ansible.builtin.file: + path: "/etc/nginx/sites-available/{{ domain.server_name }}.conf" + state: absent diff --git a/roles/debian/nginx/templates/_common.j2 b/roles/debian/nginx/templates/_common.j2 index 79b1b114c..6129a309d 100644 --- a/roles/debian/nginx/templates/_common.j2 +++ b/roles/debian/nginx/templates/_common.j2 @@ -3,7 +3,7 @@ gzip on; gzip_proxied any; gzip_static on; -gzip_http_version 1.0; +gzip_http_version 1.1; gzip_disable "MSIE [1-6]\."; gzip_vary {{ nginx.http.gzip_vary }}; gzip_comp_level 6; diff --git a/roles/debian/nginx/templates/_common_cloudfront.j2 b/roles/debian/nginx/templates/_common_cloudfront.j2 deleted file mode 100644 index f448699e0..000000000 --- a/roles/debian/nginx/templates/_common_cloudfront.j2 +++ /dev/null @@ -1,11 +0,0 @@ -### {{ ansible_managed }} - -gzip off; -proxy_buffer_size {{ nginx.http.proxy_buffer_size }}; -proxy_buffers {{ nginx.http.proxy_buffers }}; -client_body_buffer_size {{ nginx.http.client_body_buffer_size }}; -fastcgi_buffer_size {{ nginx.http.fastcgi_buffer_size }} ; -fastcgi_buffers {{ nginx.http.fastcgi_buffers }} ; -client_max_body_size {{ nginx.client_max_body_size }} ; -# Disable content sniffing, since it's an attack vector. -add_header X-Content-Type-Options nosniff; \ No newline at end of file diff --git a/roles/debian/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 index b9aac5f1b..2bef01860 100644 --- a/roles/debian/nginx/templates/drupal10.j2 +++ b/roles/debian/nginx/templates/drupal10.j2 @@ -97,25 +97,35 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin # Allow private files support location ~* ^/system/files/.*\.(png|jpg|jpeg|gif|ico|svg)$ { # If the image does not exist, it must be a private file. try_files $uri @rewrite; - expires 7d; +{% if nginx.http.cache_behavior_private %} + {{ nginx.http.cache_behavior_private }}; +{% endif %} log_not_found off; } # For Drupal 10 onwards this has changed - see https://www.drupal.org/node/2888767#nginx-php-fpm location ~ ^/sites/.*/files/(css|js|styles)/ { try_files $uri @rewrite_drupal10; - expires 7d; +{% if nginx.http.cache_behavior_public %} + {{ nginx.http.cache_behavior_public }}; +{% endif %} } # Allow public files and image styles. location ~ ^/sites/.*/files/.* { try_files $uri @rewrite; +{% if nginx.http.cache_behavior_public %} + {{ nginx.http.cache_behavior_public }}; +{% endif %} } # This Nginx config is DENY FIRST, so only these file extensions are permitted. # Core and contrib assets can be pretty much anywhere. location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|eot|woff2|ttf|otf)$ { try_files $uri @rewrite =404; +{% if nginx.http.cache_behavior_public %} + {{ nginx.http.cache_behavior_public }}; +{% endif %} } # Allow robots.txt. diff --git a/roles/debian/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 index dee6f0af9..e87a61702 100644 --- a/roles/debian/nginx/templates/drupal_common.j2 +++ b/roles/debian/nginx/templates/drupal_common.j2 @@ -89,19 +89,26 @@ location ~* /(?:modules|libraries)/(?:contrib/)?(?:ad|tinybrowser|f?ckeditor|tin # Allow public files and image styles. location ~ ^/sites/.*/files/.* { try_files $uri @rewrite; +{% if nginx.http.cache_behavior_public %} + {{ nginx.http.cache_behavior_public }}; +{% endif %} } # Allow private files support location ~* ^/system/files/.*\.(png|jpg|jpeg|gif|ico|svg)$ { # If the image does not exist, it must be a private file. try_files $uri @rewrite; - expires 7d; - log_not_found off; +{% if nginx.http.cache_behavior_private %} + {{ nginx.http.cache_behavior_private }}; +{% endif %} } # This Nginx config is DENY FIRST, so only these file extensions are permitted. # Core and contrib assets can be pretty much anywhere. location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|eot|woff2|ttf|otf)$ { try_files $uri @rewrite =404; +{% if nginx.http.cache_behavior_public %} + {{ nginx.http.cache_behavior_public }}; +{% endif %} } # Allow robots.txt. diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index 72a5cdd45..b3f85d544 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -1,7 +1,7 @@ ### {{ ansible_managed }} server { - listen 443; + listen 80; server_name {{ domain.server_name }}; error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 index d16b3df96..9cf7b514a 100644 --- a/roles/debian/nginx/templates/vhosts.j2 +++ b/roles/debian/nginx/templates/vhosts.j2 @@ -28,11 +28,7 @@ server { access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; root "{{ domain.webroot }}"; include "/etc/nginx/conf.d/{{ domain.project_type }}"; -{% if domain.is_behind_cloudfront is defined and domain.is_behind_cloudfront %} - include "/etc/nginx/conf.d/_common_cloudfront"; -{% else %} include "/etc/nginx/conf.d/_common"; -{% endif %} {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %} {% if domain.ssl.web_server | default('standalone') == 'standalone' %} # Proxy for certbot (LetsEncrypt) From cf5191aebddfffa222aae62757f33912c481d27b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 5 Apr 2024 10:08:08 +0200 Subject: [PATCH 104/331] moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index fefa73bb0..0c358cd20 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create a role and attach policies amazon.aws.iam_role: name: LambdaAsgAmiCleanupRole - assume_role_policy_document: "{{ lookup('file', 'assume_lambda_iam_policy.j2') }}" + assume_role_policy_document: "{{ lookup('template', 'assume_lambda_iam_policy.j2') }}" managed_policies: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess From 33f2e46ec85d589ec22867d46aa55cf2e9d65b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 5 Apr 2024 13:42:34 +0200 Subject: [PATCH 105/331] Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index 0c358cd20..67ec764b4 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -41,6 +41,8 @@ handler: '{{ aws_ami_asg_cleanup.handler }}' tags: Test: 'This is test tag' + retries: 5 + delay: 10 register: _created_iam_lambda_cleanup_function - name: Create scheduler to invoke Lambda function From cc2250d217d7cfadc13c3b58d92c2778278128e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 5 Apr 2024 16:35:48 +0200 Subject: [PATCH 106/331] Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index 67ec764b4..5764a268f 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -29,6 +29,10 @@ dest: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" format: zip +- name: Sleep for 100 seconds for IAM before Lambda creation + ansible.builtin.wait_for: + timeout: 100 + - name: Create Lambda function amazon.aws.lambda: name: "clean_up_ami" @@ -41,8 +45,6 @@ handler: '{{ aws_ami_asg_cleanup.handler }}' tags: Test: 'This is test tag' - retries: 5 - delay: 10 register: _created_iam_lambda_cleanup_function - name: Create scheduler to invoke Lambda function From b0842704e29fceabe757347ca3ff9c4c496906e8 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Fri, 5 Apr 2024 18:11:33 +0300 Subject: [PATCH 107/331] nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive --- roles/debian/nginx/tasks/main.yml | 36 ++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 04c2bbc3e..ac8bc363c 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -29,6 +29,18 @@ packages: - name: passlib +- name: Backup the whole NGINX config with vhosts. + ansible.builtin.command: "tar -czf /home/{{ _ce_provision_username }}/nginx_backup.tar.gz /etc/nginx/" + +- name: Test NGINX configuration. + ansible.builtin.command: nginx -t + register: nginx_test_result + failed_when: false + +- name: Display current NGINX config test result. + ansible.builtin.debug: + msg: "{{ nginx_test_result.stderr }}" + - name: Copy main NGINX config. ansible.builtin.template: src: nginx.conf.j2 @@ -75,6 +87,12 @@ path: "/var/log/nginx" state: directory +- name: Remove existing vhosts. + ansible.builtin.file: + path: "/etc/nginx/sites-enabled" + state: absent + when: nginx.recreate_vhosts + - name: Ensure vhosts folder is present. ansible.builtin.file: path: "/etc/nginx/sites-enabled" @@ -132,12 +150,20 @@ ansible.builtin.debug: msg: "{{ nginx_test_result.stderr }}" -- name: Fail the playbook if NGINX test fails. - ansible.builtin.fail: - msg: "NGINX configuration test failed." - when: nginx_test_result.rc != 0 - - name: Ensure NGINX is restarted. ansible.builtin.service: name: nginx state: restarted + when: nginx_test_result.rc == 0 + +- name: Restore previous NGINX config from backup if test fails. + ansible.builtin.unarchive: + src: /home/{{ _ce_provision_username }}/nginx_backup.tar.gz + dest: / + remote_src: true + when: nginx_test_result.rc != 0 + +- name: Fail the playbook after restore. + ansible.builtin.fail: + msg: "NGINX configuration test failed. Previous configuration was restored. You need to check it manually." + when: nginx_test_result.rc != 0 From fa9a53791145818005841327f45793e5c9089dbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Tue, 9 Apr 2024 09:59:06 +0200 Subject: [PATCH 108/331] Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 4 +-- .../defaults/main.yml | 31 ------------------- .../tasks/main.yml | 25 +++++++++++++-- 3 files changed, 25 insertions(+), 35 deletions(-) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index 5764a268f..9c1c8f6ec 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -29,9 +29,9 @@ dest: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" format: zip -- name: Sleep for 100 seconds for IAM before Lambda creation +- name: Sleep for 30 seconds for IAM before Lambda creation ansible.builtin.wait_for: - timeout: 100 + timeout: 30 - name: Create Lambda function amazon.aws.lambda: diff --git a/roles/aws/aws_cloudfront_distribution/defaults/main.yml b/roles/aws/aws_cloudfront_distribution/defaults/main.yml index 127152b41..6a015b54b 100644 --- a/roles/aws/aws_cloudfront_distribution/defaults/main.yml +++ b/roles/aws/aws_cloudfront_distribution/defaults/main.yml @@ -1,30 +1,4 @@ --- -# Uncomment cf_acl to create firewall rules for Cloudfront distro -#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) -#cf_acl: -# acl_name: "dummy_master_acl" -# scope: "CLOUDFRONT" # Can be "REGIONAL" -# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped -# -# ip_allow -# name: "Allowed-ips" -# list: -# - 1.1.1.1/32 -# - 2.2.2.2/32 -# - 3.3.3.3/32 -# -# ip_block: -# name: "Blocked-ips" -# list: -# - 4.4.4.4/32 -# - 5.5.5.5/32 -# - 6.6.6.6/32 -# -# cc_block_list: -# - BY # Belarus -# - CN # China -# - IR # Iran -# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -87,8 +61,3 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. -# logging: -# bucket: "" # URL of S3 bucket to store logs -# enabled: false # Set true to allow logging -# include_cookies: false # Set true to add cookies in logs -# prefix: "" # Prefix for S3 object names \ No newline at end of file diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 49b0ea331..4613e23f2 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -6,6 +6,27 @@ - aws_acl is defined - aws_acl.scope == 'CLOUDFRONT' +# Creating bucket for CF logging +- name: Create S3 bucket if it does not exist + amazon.aws.s3_bucket: + name: "{{ _domain_name }}-cf-log" + state: present + object_ownership: "BucketOwnerPreferred" + +- name: Create S3 bucket prefix + amazon.aws.s3_object: + bucket: "{{ _domain_name }}-cf-log" + object: "cf-logging/" + mode: "create" + +- name: Creating dictionary for CF logging + ansible.builtin.set_fact: + _cf_s3_log: + bucket: "{{ _domain_name }}-cf-log.s3.amazonaws.com" # URL of S3 bucket to store logs + enabled: true # Set true to allow logging + include_cookies: false # Set true to add cookies in logs + prefix: "cf-logging/" # Prefix for S3 object names + - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: profile: "{{ aws_cloudfront_distribution.aws_profile }}" @@ -22,7 +43,7 @@ purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}" purge_aliases: "{{ aws_cloudfront_distribution.purge_existing }}" purge_tags: "{{ aws_cloudfront_distribution.purge_existing }}" - logging: "{{ aws_cloudfront_distribution.logging | default(omit) }}" + logging: "{{ _cf_s3_log }}" purge_cache_behaviors: "{{ aws_cloudfront_distribution.purge_existing }}" enabled: "{{ aws_cloudfront_distribution.enabled }}" - register: _aws_cloudfront_distribution \ No newline at end of file + register: _aws_cloudfront_distribution From 527daf200f188a88b179778ab83be448a611da19 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 9 Apr 2024 12:46:04 +0100 Subject: [PATCH 109/331] php clear_env config option (#1599) --- roles/debian/php-fpm/defaults/main.yml | 1 + roles/debian/php-fpm/templates/www.conf.j2 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index ab3590a16..b6fea0c7d 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -51,3 +51,4 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + clear_env: "yes" diff --git a/roles/debian/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 index 7f5d4eeb5..e0147ff14 100755 --- a/roles/debian/php-fpm/templates/www.conf.j2 +++ b/roles/debian/php-fpm/templates/www.conf.j2 @@ -19,3 +19,5 @@ rlimit_core = {{ php.fpm.rlimit_core }} request_slowlog_timeout = {{ php.fpm.request_slowlog_timeout }} slowlog = {{ php.fpm.slowlog_file_directory }}/php{{ version }}-fpm.slow.log {% endif %} + +clear_env = {{ php.fpm.clear_env }} From 75f753a66f8846bd1b8225683185ce50a8d72191 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 10 Apr 2024 20:26:00 +0300 Subject: [PATCH 110/331] move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) --- roles/debian/nginx/tasks/domain.yml | 5 +++++ roles/debian/nginx/tasks/main.yml | 11 ----------- roles/debian/nginx/tasks/ssl.yml | 10 ++-------- 3 files changed, 7 insertions(+), 19 deletions(-) diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index be355855e..77229701e 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -1,4 +1,9 @@ --- +- name: Generate SSL certificates. + ansible.builtin.include_tasks: ssl.yml + when: + - domain.ssl is defined + - name: Set up basic auth. when: - domain.basic_auth.auth_enabled is defined diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index ac8bc363c..270551a90 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -111,17 +111,6 @@ when: - _nginx_cloudwatch_dir.stat.isdir is defined and _nginx_cloudwatch_dir.stat.isdir -- name: Generate SSL certificates. - ansible.builtin.include_tasks: ssl.yml - with_items: "{{ nginx.domains }}" - loop_control: - loop_var: domain - when: - - domain.ssl is defined - - nginx.domains is defined - - nginx.domains | length > 0 - - nginx.recreate_vhosts - - name: Generate domain specific configuration. ansible.builtin.include_tasks: domain.yml with_items: "{{ nginx.domains }}" diff --git a/roles/debian/nginx/tasks/ssl.yml b/roles/debian/nginx/tasks/ssl.yml index 518aa7fc6..32097e9e2 100644 --- a/roles/debian/nginx/tasks/ssl.yml +++ b/roles/debian/nginx/tasks/ssl.yml @@ -1,14 +1,8 @@ --- -# If there is an existing vhost it will have LE proxy handling already. -- name: Check for an existing vhost. - ansible.builtin.stat: - path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf" - register: _nginx_vhost_link - - name: LetsEncrypt create vhosts. when: - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 block: - name: Temporarily place a vhost for LetsEncrypt to work. ansible.builtin.template: @@ -39,7 +33,7 @@ - name: LetsEncrypt cleanup vhosts. when: - domain.ssl.handling == 'letsencrypt' - - _nginx_vhost_link.stat.islnk is not defined or domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 block: - name: Delete the link to the vhost for LetsEncrypt. ansible.builtin.file: From 427ec505b4603177474af3c215f982b7fc8c57d3 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 12 Apr 2024 10:53:50 +0200 Subject: [PATCH 111/331] Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. --- docs/roles/debian/clamav.md | 20 +++++++++++++------- roles/debian/clamav/README.md | 20 +++++++++++++------- roles/debian/clamav/defaults/main.yml | 20 +++++++++++++------- roles/debian/clamav/tasks/main.yml | 22 +++++++++++----------- roles/debian/clamav/templates/clamscan.j2 | 8 +++++--- 5 files changed, 55 insertions(+), 35 deletions(-) diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 4e01840ea..6bc18e398 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -11,19 +11,25 @@ This role optionally provides systemd timers for routine scanning if you are not ```yaml --- clamav: - create_timer: false + # wrapper scripts for clamav + scripts: + - location: /usr/local/clamav/script + name: clamscan_daily + exclude_directories: + - /sys/ + scan_location: / + log_name: clamav_daily.log + # scheduled scans, set to an empty dictionary for no timers + timers: + clamav_scan: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - scripts_location: /usr/local/clamav/script log_location: /var/log/clamav - log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com report_sender_email: admin@server.example.com - scan_location: / - exclude_directories: - - /sys/ install_clamdscan: false # flag to install additional 'clamdscan' package ``` diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 4e01840ea..6bc18e398 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -11,19 +11,25 @@ This role optionally provides systemd timers for routine scanning if you are not ```yaml --- clamav: - create_timer: false + # wrapper scripts for clamav + scripts: + - location: /usr/local/clamav/script + name: clamscan_daily + exclude_directories: + - /sys/ + scan_location: / + log_name: clamav_daily.log + # scheduled scans, set to an empty dictionary for no timers + timers: + clamav_scan: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - scripts_location: /usr/local/clamav/script log_location: /var/log/clamav - log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com report_sender_email: admin@server.example.com - scan_location: / - exclude_directories: - - /sys/ install_clamdscan: false # flag to install additional 'clamdscan' package ``` diff --git a/roles/debian/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml index 6dddd32d6..648ddd934 100644 --- a/roles/debian/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -1,16 +1,22 @@ --- clamav: - create_timer: false + # wrapper scripts for clamav + scripts: + - location: /usr/local/clamav/script + name: clamscan_daily + exclude_directories: + - /sys/ + scan_location: / + log_name: clamav_daily.log + # scheduled scans, set to an empty dictionary for no timers + timers: + clamscan_daily: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. - on_calendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - scripts_location: /usr/local/clamav/script log_location: /var/log/clamav - log_name: clamav.log send_mail: false # Important: will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com report_sender_email: admin@server.example.com - scan_location: / - exclude_directories: - - /sys/ install_clamdscan: false # flag to install additional 'clamdscan' package diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml index b84a4f2a6..ebf032e74 100644 --- a/roles/debian/clamav/tasks/main.yml +++ b/roles/debian/clamav/tasks/main.yml @@ -1,34 +1,34 @@ --- -- name: Ensure the ClamAV scripts directory exists. +- name: Ensure the ClamAV scripts directories exists. ansible.builtin.file: - path: "{{ clamav.scripts_location }}" + path: "{{ item.location }}" state: directory mode: '0755' + with_items: "{{ clamav.scripts }}" + when: clamav.scripts | length > 0 -- name: Copy clamscan script to server. +- name: Copy clamscan scripts to server. ansible.builtin.template: src: "clamscan.j2" - dest: "{{ clamav.scripts_location }}/clamscan" + dest: "{{ item.location }}/{{ item.name }}" owner: root group: root mode: "0755" + with_items: "{{ clamav.scripts }}" + when: clamav.scripts | length > 0 - name: Ensure the ClamAV log directory exists. ansible.builtin.file: path: "{{ clamav.log_location }}" state: directory mode: '0755' - when: clamav.create_timer -- name: Set up a ClamAV systemd timer. +- name: Set up a ClamAV systemd timers. ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: - clamav_scan: - timer_command: "{{ clamav.scripts_location }}/clamscan" - timer_OnCalendar: "{{ clamav.on_calendar }}" - when: clamav.create_timer + timers: "{{ clamav.timers }}" + when: clamav.timers | length > 0 - name: Install clamdscan. ansible.builtin.apt: diff --git a/roles/debian/clamav/templates/clamscan.j2 b/roles/debian/clamav/templates/clamscan.j2 index c2b54e2cb..231085405 100644 --- a/roles/debian/clamav/templates/clamscan.j2 +++ b/roles/debian/clamav/templates/clamscan.j2 @@ -1,7 +1,7 @@ #!/bin/bash SUBJECT="{{ clamav.server_name }} PASSED SCAN" EMAIL="{{ clamav.report_recipient_email }}" -LOG={{ clamav.log_location }}/{{ clamav.log_name }} +LOG={{ clamav.log_location }}/{{ item.log_name }} TMP_LOG=/tmp/clam.daily rm -rf ${TMP_LOG} @@ -38,9 +38,10 @@ av_report() { } av_scan() { + {% if item.exclude_directories | length > 0 %} # build bash array of directories to exclude EXCLUSIONS=() - {% for directory in clamav.exclude_directories %} + {% for directory in item.exclude_directories %} EXCLUSIONS+=("{{ directory }}") {% endfor %} @@ -49,9 +50,10 @@ av_scan() { for directory in ${EXCLUSIONS[@]}; do EXCLUSIONS_STRING+=" --exclude-dir=$directory" done + {% endif %} touch ${TMP_LOG} - clamscan -r {{ clamav.scan_location }} --quiet --infected --log=${TMP_LOG}$EXCLUSIONS_STRING + clamscan -r {{ item.scan_location }} --quiet --infected --log=${TMP_LOG}$EXCLUSIONS_STRING cat ${TMP_LOG} >> ${LOG} } From 7db4aee77f25bb8a9c9279c624a096da8c75ff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 15 Apr 2024 12:42:47 +0200 Subject: [PATCH 112/331] r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 6 +++--- roles/debian/apt_extra_packages/tasks/main.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index 9c1c8f6ec..d23a1f5ea 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -31,7 +31,7 @@ - name: Sleep for 30 seconds for IAM before Lambda creation ansible.builtin.wait_for: - timeout: 30 + timeout: 20 - name: Create Lambda function amazon.aws.lambda: @@ -49,11 +49,11 @@ - name: Create scheduler to invoke Lambda function amazon.aws.cloudwatchevent_rule: - name: "cleanup_asg_ami_{{ _domain_name }}" + name: "cleanup_asg_ami_{{ _aws_resource_name }}" schedule_expression: "{{ aws_ami_asg_cleanup.scheduler_cron }}" description: Clean up ASG AMIs region: "{{ _aws_region }}" targets: - id: 'clean_up_ami' arn: "{{ _created_iam_lambda_cleanup_function.configuration.function_arn }}" - input: '{"asg_name": "{{ _domain_name | regex_replace("\.", "-") }}"}' + input: '{"asg_name": "{{ _aws_resource_name }}"}' diff --git a/roles/debian/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml index 2cdaf6f83..8c688b0ed 100644 --- a/roles/debian/apt_extra_packages/tasks/main.yml +++ b/roles/debian/apt_extra_packages/tasks/main.yml @@ -7,13 +7,13 @@ ansible.builtin.set_fact: apt_list: [] -- name: Add URLs to wget list +- name: Add items with URL to wget list ansible.builtin.set_fact: wget_list: "{{ wget_list + [item] }}" loop: "{{ apt_extra_packages }}" when: "item is regex('^https?://')" -- name: Add URLs to apt list +- name: Add non URL items to apt list ansible.builtin.set_fact: apt_list: "{{ apt_list + [item] }}" when: "item is not regex('^https?://')" @@ -31,4 +31,4 @@ when: wget_list | length > 0 loop: "{{ wget_list }}" loop_control: - loop_var: wget_item \ No newline at end of file + loop_var: wget_item From 64905aafc39d64baecf0f8cf0e529845b943288b Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Tue, 23 Apr 2024 10:24:02 +0300 Subject: [PATCH 113/331] R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation --- roles/debian/nginx/templates/drupal10.j2 | 4 +- roles/debian/nginx/templates/drupal_common.j2 | 4 +- roles/debian/nginx/templates/nginx.conf.j2 | 4 +- roles/debian/nginx/templates/vhosts.j2 | 39 ++++++++++++------- 4 files changed, 30 insertions(+), 21 deletions(-) diff --git a/roles/debian/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 index 2bef01860..c74dc42d0 100644 --- a/roles/debian/nginx/templates/drupal10.j2 +++ b/roles/debian/nginx/templates/drupal10.j2 @@ -24,10 +24,10 @@ location @phpprocess { # Rewrite any request not whitelisted below, # so they get processed through the app level (and 404). location / { - {% if nginx.ratelimitingcrawlers %} +{% if nginx.ratelimitingcrawlers %} # @todo # limit_req zone=bots burst=5 nodelay; - {% endif %} +{% endif %} try_files @rewrite /index.php?$query_string; } diff --git a/roles/debian/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 index e87a61702..8e3bf96f6 100644 --- a/roles/debian/nginx/templates/drupal_common.j2 +++ b/roles/debian/nginx/templates/drupal_common.j2 @@ -16,10 +16,10 @@ location @phpprocess { # Rewrite any request not whitelisted below, # so they get processed through the app level (and 404). location / { - {% if nginx.ratelimitingcrawlers %} +{% if nginx.ratelimitingcrawlers %} # @todo # limit_req zone=bots burst=5 nodelay; - {% endif %} +{% endif %} try_files @rewrite /index.php?$query_string; } diff --git a/roles/debian/nginx/templates/nginx.conf.j2 b/roles/debian/nginx/templates/nginx.conf.j2 index f64cad774..7d608906e 100644 --- a/roles/debian/nginx/templates/nginx.conf.j2 +++ b/roles/debian/nginx/templates/nginx.conf.j2 @@ -54,9 +54,9 @@ http { ## {% if nginx.http.custom_directives is defined %} - {% for directive in nginx.http.custom_directives %} +{% for directive in nginx.http.custom_directives %} {{ directive }} - {% endfor %} +{% endfor %} {% endif %} ## diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 index 9cf7b514a..96546b61a 100644 --- a/roles/debian/nginx/templates/vhosts.j2 +++ b/roles/debian/nginx/templates/vhosts.j2 @@ -16,9 +16,9 @@ server { rewrite ^ https://{{ domain.server_name }}$request_uri? permanent; {% endif %} {% if server.custom_directives is defined %} - {% for directive in server.custom_directives %} +{% for directive in server.custom_directives %} {{ directive }} - {% endfor %} +{% endfor %} {% endif %} {% if server.ssl %} ssl_certificate {{ ssl_facts[_ssl_domains[0]].certificate }}; @@ -38,23 +38,32 @@ server { } {% endif %} {% endif %} -{% if - domain.basic_auth.auth_enabled is defined and - domain.basic_auth.auth_enabled and - domain.basic_auth.auth_user is defined and - domain.basic_auth.auth_user | length > 0 -%} + +{% if domain.basic_auth.auth_enabled is defined and domain.basic_auth.auth_enabled %} +{% if _profile == 'asg' and domain.is_default is defined and domain.is_default %} + # Additional http_auth bypass for ASG healthchecks. + set $bypassagent "0"; + set $bypass "0"; + set $auth_status "{{ domain.basic_auth.auth_message | default('Restricted content') }}"; + if ($http_user_agent ~* "ELB-HealthChecker") { + set $bypassagent "1"; + } + if ($remote_addr ~ "^{{ _aws_vpc_cidr_base | replace('.', '\\.') }}\." ) { + set $bypass "${bypassagent}1"; + } + if ($bypass = "11") { + set $auth_status "off"; + } + auth_basic $auth_status; +{% else %} auth_basic "{{ domain.basic_auth.auth_message | default('Restricted content') }}"; +{% endif %} +{% if domain.basic_auth.auth_user is defined and domain.basic_auth.auth_user | length > 0 %} auth_basic_user_file "/etc/nginx/passwords/{{ domain.server_name }}.htpasswd"; {% endif %} -{% if - domain.basic_auth.auth_enabled is defined and - domain.basic_auth.auth_enabled and - domain.basic_auth.auth_file is defined and - domain.basic_auth.auth_file | length > 0 -%} - auth_basic "{{ domain.basic_auth.auth_message | default('Restricted content') }}"; +{% if domain.basic_auth.auth_file is defined and domain.basic_auth.auth_file | length > 0 %} auth_basic_user_file "/etc/nginx/passwords/{{ domain.server_name }}.provided.htpasswd"; {% endif %} +{% endif %} } {% endfor %} From f3d8ab7b0833f705c88d5daa90015ca3d6a4c63e Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 23 Apr 2024 13:36:11 +0200 Subject: [PATCH 114/331] R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 --- roles/debian/ssl/templates/le_cron.sh.j2 | 28 +++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/roles/debian/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2 index 87dc619ec..db30e98ff 100644 --- a/roles/debian/ssl/templates/le_cron.sh.j2 +++ b/roles/debian/ssl/templates/le_cron.sh.j2 @@ -1,5 +1,14 @@ #!/bin/bash +# Function to send email notification +send_email_notification() { + local recipient="$1" + local subject="$2" + local body="$3" + + echo -e "$body" | mail -s "$subject" "$recipient" +} + # stop services {% for service in _ssl_services %} /usr/sbin/service {{ service }} stop @@ -20,8 +29,11 @@ for site in ${SITES[@]}; do SITESSTRING+=" -d $site" done -# run certbot -{{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING +# run certbot and capture the output +certbot_output=$( {{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING 2>&1 ) + +# Capture exit code of Certbot command +certbot_exit_code=$? # start services again {% for service in _ssl_services %} @@ -31,4 +43,14 @@ done # reload dependent services {% for service in ssl.reload %} /usr/sbin/service {{ service }} {{ ssl.reload_command }} -{% endfor %} \ No newline at end of file +{% endfor %} + +if [ $certbot_exit_code -ne 0 ]; then + # Certbot failed, send email notification + recipient="{{ ssl.email }}" + subject="Certbot Renewal Failed" + body="Certbot renewal failed with the following output: + +$certbot_output" + send_email_notification "$recipient" "$subject" "$body" +fi From 7a9147ff472d5a748366e1ba5b9d6079aafe11a4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Apr 2024 16:38:01 +0200 Subject: [PATCH 115/331] Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! --- docs/_Sidebar.md | 1 + docs/roles/aws/aws_acl.md | 39 +++++++++++++++ docs/roles/aws/aws_cloudfront_distribution.md | 32 +----------- docs/roles/debian/clamav.md | 2 +- docs/roles/debian/nginx.md | 2 + docs/roles/debian/php-fpm.md | 1 + roles/aws/aws_acl/README.md | 39 +++++++++++++++ roles/aws/aws_acl/defaults/main.yml | 35 ++++++------- roles/aws/aws_acl/tasks/main.yml | 50 +++++++++++-------- .../aws/aws_cloudfront_distribution/README.md | 32 +----------- .../tasks/main.yml | 8 +-- roles/debian/clamav/README.md | 2 +- roles/debian/nginx/README.md | 2 + roles/debian/php-fpm/README.md | 1 + 14 files changed, 139 insertions(+), 107 deletions(-) create mode 100644 docs/roles/aws/aws_acl.md create mode 100644 roles/aws/aws_acl/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index fe73f6915..e65b520cb 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -4,6 +4,7 @@ - [Usage](/scripts) - [Roles](roles) - [AWS Infrastructure](/roles/aws) + - [AWS ACL](/roles/aws/aws_acl) - [AWS Certificate Manager](/roles/aws/aws_acm) - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md new file mode 100644 index 000000000..e61200e38 --- /dev/null +++ b/docs/roles/aws/aws_acl.md @@ -0,0 +1,39 @@ +# AWS ACL +Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB). + + + + + +## Default variables +```yaml +--- +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking +aws_acl: + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia +``` + + diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md index 63952a71c..f45a01af6 100644 --- a/docs/roles/aws/aws_cloudfront_distribution.md +++ b/docs/roles/aws/aws_cloudfront_distribution.md @@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- -# Uncomment cf_acl to create firewall rules for Cloudfront distro -#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) -#cf_acl: -# acl_name: "dummy_master_acl" -# scope: "CLOUDFRONT" # Can be "REGIONAL" -# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped -# -# ip_allow -# name: "Allowed-ips" -# list: -# - 1.1.1.1/32 -# - 2.2.2.2/32 -# - 3.3.3.3/32 -# -# ip_block: -# name: "Blocked-ips" -# list: -# - 4.4.4.4/32 -# - 5.5.5.5/32 -# - 6.6.6.6/32 -# -# cc_block_list: -# - BY # Belarus -# - CN # China -# - IR # Iran -# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -95,11 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. -# logging: -# bucket: "" # URL of S3 bucket to store logs -# enabled: false # Set true to allow logging -# include_cookies: false # Set true to add cookies in logs -# prefix: "" # Prefix for S3 object names + ``` diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 6bc18e398..4529ab043 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -21,7 +21,7 @@ clamav: log_name: clamav_daily.log # scheduled scans, set to an empty dictionary for no timers timers: - clamav_scan: + clamscan_daily: timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 08130a46c..1890f2f3b 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -52,6 +52,8 @@ nginx: client_body_buffer_size: 512k fastcgi_buffer_size: 512k fastcgi_buffers: "8 256k" + cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" + cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index b9c0edbd7..94a687ac4 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -61,6 +61,7 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + clear_env: "yes" ``` diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md new file mode 100644 index 000000000..e61200e38 --- /dev/null +++ b/roles/aws/aws_acl/README.md @@ -0,0 +1,39 @@ +# AWS ACL +Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB). + + + + + +## Default variables +```yaml +--- +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking +aws_acl: + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia +``` + + diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 8845df2d6..a674711db 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,26 +1,27 @@ --- -rate_limit: 200 +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking aws_acl: - name: "dummy_master_acl" - scope: "CLOUDFRONT" # Can be "REGIONAL" for ALBs - region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} ip_allow: name: "Allowed-ips" - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - - 3.3.3.3/32 + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 ip_block: name: "Blocked-ips" - list: - - 4.4.4.4/32 - - 5.5.5.5/32 - - 6.6.6.6/32 + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 - cc_block_list: - - BY # Belarus - - CN # China - - IR # Iran - - SA # Saudi Arabia \ No newline at end of file + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia \ No newline at end of file diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 43ca97338..08968c719 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,11 +1,13 @@ -- name: Define dict for rules +- name: Define dict for rules. ansible.builtin.set_fact: _acl_rules: [] -- name: Set IP block rule - when: aws_acl.ip_block is defined +- name: Set IP block rule. + when: + - aws_acl.ip_block is defined + - aws_acl.ip_block.list | length > 0 block: - - name: Create IP block set for WAF + - name: Create IP block set for WAF. community.aws.wafv2_ip_set: name: "{{ aws_acl.ip_block.name }}" state: present @@ -16,7 +18,7 @@ addresses: "{{ aws_acl.ip_block.list }}" register: _ip_set_info - - name: Create IP block rule + - name: Create IP block rule. ansible.builtin.set_fact: ip_block_rule: - name: "{{ aws_acl.ip_block.name }}" @@ -31,14 +33,16 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + ip_block_rule }}" -- name: Set IP allow rule - when: aws_acl.ip_allow is defined +- name: Set IP allow rule. + when: + - aws_acl.ip_allow is defined + - aws_acl.ip_allow.list | length > 0 block: - - name: Create IP allow set for WAF + - name: Create IP allow set for WAF. community.aws.wafv2_ip_set: name: "{{ aws_acl.ip_allow.name }}" state: present @@ -49,7 +53,7 @@ addresses: "{{ aws_acl.ip_allow.list }}" register: _ip_set_info - - name: Create IP allow rule + - name: Create IP allow rule. ansible.builtin.set_fact: ip_allow_rule: - name: "{{ aws_acl.ip_allow.name }}" @@ -64,12 +68,14 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + ip_allow_rule }}" -- name: Set country block rule - when: aws_acl.cc_block_list is defined +- name: Set country block rule. + when: + - aws_acl.cc_block_list is defined + - aws_acl.cc_block_list | length > 0 block: - name: Create country block rule ansible.builtin.set_fact: @@ -91,10 +97,12 @@ _acl_rules: "{{ _acl_rules + cc_block_rule }}" # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) -- name: Set rate limit variable - when: rate_limit is defined +- name: Set rate limit variable. + when: + - rate_limit is defined + - rate_limit > 0 block: - - name: Define rate rule + - name: Define rate rule. ansible.builtin.set_fact: rate_rule: - name: rate_limit @@ -110,11 +118,11 @@ limit: "{{ rate_limit }}" aggregate_key_type: IP - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + rate_rule}}" -- name: Create web acl +- name: Create web acl. community.aws.wafv2_web_acl: name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "WAF protecting the {{ _domain_name }}" @@ -126,13 +134,11 @@ metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) rules: "{{ _acl_rules }}" purge_rules: true -# tags: -# A: B -# C: D + tags: "{{ aws_acl.tags }}" state: present register: _created_acl -- name: Add WAF to ALB +- name: Add WAF to ALB. community.aws.wafv2_resources: name: "{{ aws_acl.name }}" scope: REGIONAL diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md index 63952a71c..f45a01af6 100644 --- a/roles/aws/aws_cloudfront_distribution/README.md +++ b/roles/aws/aws_cloudfront_distribution/README.md @@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- -# Uncomment cf_acl to create firewall rules for Cloudfront distro -#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) -#cf_acl: -# acl_name: "dummy_master_acl" -# scope: "CLOUDFRONT" # Can be "REGIONAL" -# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped -# -# ip_allow -# name: "Allowed-ips" -# list: -# - 1.1.1.1/32 -# - 2.2.2.2/32 -# - 3.3.3.3/32 -# -# ip_block: -# name: "Blocked-ips" -# list: -# - 4.4.4.4/32 -# - 5.5.5.5/32 -# - 6.6.6.6/32 -# -# cc_block_list: -# - BY # Belarus -# - CN # China -# - IR # Iran -# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -95,11 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. -# logging: -# bucket: "" # URL of S3 bucket to store logs -# enabled: false # Set true to allow logging -# include_cookies: false # Set true to add cookies in logs -# prefix: "" # Prefix for S3 object names + ``` diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 4613e23f2..8fae00293 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Create web acl if defined +- name: Create web acl if defined. ansible.builtin.include_role: name: aws/aws_acl when: @@ -7,19 +7,19 @@ - aws_acl.scope == 'CLOUDFRONT' # Creating bucket for CF logging -- name: Create S3 bucket if it does not exist +- name: Create S3 bucket if it does not exist. amazon.aws.s3_bucket: name: "{{ _domain_name }}-cf-log" state: present object_ownership: "BucketOwnerPreferred" -- name: Create S3 bucket prefix +- name: Create S3 bucket prefix. amazon.aws.s3_object: bucket: "{{ _domain_name }}-cf-log" object: "cf-logging/" mode: "create" -- name: Creating dictionary for CF logging +- name: Creating dictionary for CF logging. ansible.builtin.set_fact: _cf_s3_log: bucket: "{{ _domain_name }}-cf-log.s3.amazonaws.com" # URL of S3 bucket to store logs diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 6bc18e398..4529ab043 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -21,7 +21,7 @@ clamav: log_name: clamav_daily.log # scheduled scans, set to an empty dictionary for no timers timers: - clamav_scan: + clamscan_daily: timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 08130a46c..1890f2f3b 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -52,6 +52,8 @@ nginx: client_body_buffer_size: 512k fastcgi_buffer_size: 512k fastcgi_buffers: "8 256k" + cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" + cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index b9c0edbd7..94a687ac4 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -61,6 +61,7 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + clear_env: "yes" ``` From 40049ca1b7828ba4a64b357eabfb9dafff8ec496 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 29 Apr 2024 10:46:04 +0200 Subject: [PATCH 116/331] Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami_asg_cleanup/README.md | 19 +++++++++++++++++++ .../aws/aws_ami_asg_cleanup/defaults/main.yml | 3 ++- roles/aws/aws_ami_asg_cleanup/tasks/main.yml | 8 +++++++- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 roles/aws/aws_ami_asg_cleanup/README.md diff --git a/roles/aws/aws_ami_asg_cleanup/README.md b/roles/aws/aws_ami_asg_cleanup/README.md new file mode 100644 index 000000000..47fb1558f --- /dev/null +++ b/roles/aws/aws_ami_asg_cleanup/README.md @@ -0,0 +1,19 @@ +# AWS AMI ASG Cleanup +Creates an scheduler and lambda function to remove old AMIs + + + + +## Default variables +```yaml +--- +aws_ami_asg_cleanup: + memory_size: 128 # Memory allocation for Lambda function in MB + timeout: 40 # Time in seconds, max is 900 + handler: "clean_up_ami.lambda_handler" # Change this only if the main_file.main_function name is changed + runtime: "python3.12" # If the python version changes we need to update this as well + keep_backups: 10 + scheduler_cron: "cron(0 16 ? * SUN *)" +``` + + diff --git a/roles/aws/aws_ami_asg_cleanup/defaults/main.yml b/roles/aws/aws_ami_asg_cleanup/defaults/main.yml index 9ddead478..143e1af46 100644 --- a/roles/aws/aws_ami_asg_cleanup/defaults/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/defaults/main.yml @@ -1,6 +1,7 @@ +--- aws_ami_asg_cleanup: memory_size: 128 # Memory allocation for Lambda function in MB - timeout: 30 # Time in seconds, max is 900 + timeout: 40 # Time in seconds, max is 900 handler: "clean_up_ami.lambda_handler" # Change this only if the main_file.main_function name is changed runtime: "python3.12" # If the python version changes we need to update this as well keep_backups: 10 diff --git a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml index d23a1f5ea..aa6b42fae 100644 --- a/roles/aws/aws_ami_asg_cleanup/tasks/main.yml +++ b/roles/aws/aws_ami_asg_cleanup/tasks/main.yml @@ -29,7 +29,13 @@ dest: "{{ _ce_provision_build_dir }}/clean_up_ami.zip" format: zip -- name: Sleep for 30 seconds for IAM before Lambda creation +# Future reference - currently lambda module is not accepting log group +#- amazon.aws.cloudwatchlogs_log_group: +# state: present +# log_group_name: ami_asg_cleanup +# register: _ami_asg_log + +- name: Sleep for 20 seconds for IAM before Lambda creation ansible.builtin.wait_for: timeout: 20 From fe089cda2d1d63539d31b4bdb15df329baf012a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 3 May 2024 11:33:22 +0200 Subject: [PATCH 117/331] Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/README.md | 4 +- roles/aws/aws_acl/defaults/main.yml | 6 +- roles/aws/aws_acl/tasks/bot_control.yml | 133 ++++++++++++++++++++++++ roles/aws/aws_acl/tasks/main.yml | 25 ++++- 4 files changed, 161 insertions(+), 7 deletions(-) create mode 100644 roles/aws/aws_acl/tasks/bot_control.yml diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index e61200e38..65b4ba7fb 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -12,9 +12,11 @@ rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many aws_acl: name: example_master_acl scope: CLOUDFRONT # Can be REGIONAL for ALBs - region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped tags: {} + botControl: true + inspection: "COMMON" # or set to TARGETED inspection level + ip_allow: name: "Allowed-ips" list: [] diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index a674711db..d75377a55 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -3,9 +3,11 @@ rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many aws_acl: name: example_master_acl scope: CLOUDFRONT # Can be REGIONAL for ALBs - region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped tags: {} + botControl: true + inspection: "COMMON" # or set to TARGETED inspection level + ip_allow: name: "Allowed-ips" list: [] @@ -24,4 +26,4 @@ aws_acl: #- BY # Belarus #- CN # China #- IR # Iran - #- SA # Saudi Arabia \ No newline at end of file + #- SA # Saudi Arabia diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml new file mode 100644 index 000000000..a3c86dda2 --- /dev/null +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -0,0 +1,133 @@ +- name: Define empty action rule list + ansible.builtin.set_fact: + _action_rules: [] + +- name: Define variables for COMMON inspection. + block: + - name: Set action rule common. + ansible.builtin.set_fact: + _action_rules_common: + - name: "CategoryAdvertising" + action_to_use: + block: {} + - name: "CategoryArchiver" + action_to_use: + block: {} + - name: "CategoryContentFetcher" + action_to_use: + block: {} + - name: "CategoryEmailClient" + action_to_use: + block: {} + - name: "CategoryHttpLibrary" + action_to_use: + block: {} + - name: "CategoryLinkChecker" + action_to_use: + block: {} + - name: "CategoryMiscellaneous" + action_to_use: + block: {} + - name: "CategoryMonitoring" + action_to_use: + block: {} + - name: "CategoryScrapingFramework" + action_to_use: + block: {} + - name: "CategorySearchEngine" + action_to_use: + block: {} + - name: "CategorySecurity" + action_to_use: + block: {} + - name: "CategorySeo" + action_to_use: + block: {} + - name: "CategorySocialMedia" + action_to_use: + block: {} + - name: "CategoryAI" + action_to_use: + block: {} + - name: "SignalAutomatedBrowser" + action_to_use: + block: {} + - name: "SignalKnownBotDataCenter" + action_to_use: + block: {} + - name: "SignalNonBrowserUserAgent" + action_to_use: + block: {} + + - name: Define empty action rule list + ansible.builtin.set_fact: + _action_rules: "{{ _action_rules | default([]) + _action_rules_common }}" + + - name: Define common config + ansible.builtin.set_fact: + _rule_config: + - a_w_s_managed_rules_bot_control_rule_set: + inspection_level: "COMMON" + +- name: Define rule actions targeted + when: aws_acl.inspection == "TARGETED" + block: + - name: Define targeted actions + ansible.builtin.set_fact: + _action_rules_tgt: + - name: "TGT_VolumetricIpTokenAbsent" + action_to_use: + block: {} + - name: "TGT_VolumetricSession" + action_to_use: + block: {} + - name: "TGT_SignalAutomatedBrowser" + action_to_use: + block: {} + - name: "TGT_SignalBrowserInconsistency" + action_to_use: + block: {} + - name: "TGT_TokenReuseIp" + action_to_use: + block: {} + - name: "TGT_ML_CoordinatedActivityMedium" + action_to_use: + block: {} + - name: "TGT_ML_CoordinatedActivityHigh" + action_to_use: + block: {} + + - name: Define empty action rule list + ansible.builtin.set_fact: + _action_rules: "{{ _action_rules | default([]) + _action_rules_tgt }}" + + - name: Define targeted config + ansible.builtin.set_fact: + _rule_config: + - a_w_s_managed_rules_bot_control_rule_set: + inspection_level: "TARGETED" + enable_machine_learning: true + +- name: Define Bot Control rule. + ansible.builtin.set_fact: + bot_control: + - name: bot_control + priority: 4 +# action: +# block: {} + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: bot_control + statement: + managed_rule_group_statement: + vendor_name: AWS + name: AWSManagedRulesBotControlRuleSet + managed_rule_group_configs: "{{ _rule_config }}" + rule_action_overrides: "{{ _action_rules }}" + +- name: Add rule to list. + ansible.builtin.set_fact: + _acl_rules: "{{ _acl_rules + bot_control}}" diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 08968c719..0a75c2a5f 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -2,6 +2,16 @@ ansible.builtin.set_fact: _acl_rules: [] +- name: Define region if scope is REGIONAL. + ansible.builtin.set_fact: + _acl_region: "{{ _aws_region }}" + when: aws_acl.scope == "REGIONAL" + +- name: Define region if scope is CLOUDFRONT. + ansible.builtin.set_fact: + _acl_region: "us-east-1" + when: aws_acl.scope == "CLOUDFRONT" + - name: Set IP block rule. when: - aws_acl.ip_block is defined @@ -13,7 +23,7 @@ state: present description: Set of blocked IPs scope: "{{ aws_acl.scope }}" - region: "{{ aws_acl.region }}" + region: "{{ _acl_region }}" ip_address_version: IPV4 addresses: "{{ aws_acl.ip_block.list }}" register: _ip_set_info @@ -48,7 +58,7 @@ state: present description: Set of allowed IPs scope: "{{ aws_acl.scope }}" - region: "{{ aws_acl.region }}" + region: "{{ _acl_region }}" ip_address_version: IPV4 addresses: "{{ aws_acl.ip_allow.list }}" register: _ip_set_info @@ -122,12 +132,19 @@ ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + rate_rule}}" +- name: Include task Bot Control. + when: + - aws_acl.botControl is defined + - aws_acl.botControl + ansible.builtin.include_tasks: + file: bot_control.yml + - name: Create web acl. community.aws.wafv2_web_acl: name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "WAF protecting the {{ _domain_name }}" scope: "{{ aws_acl.scope }}" - region: "{{ aws_acl.region }}" + region: "{{ _acl_region }}" default_action: Allow # or "Block" sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics @@ -143,6 +160,6 @@ name: "{{ aws_acl.name }}" scope: REGIONAL state: present - region: "{{ aws_acl.region }}" + region: "{{ _acl_region }}" arn: "{{ _aws_ec2_elb.load_balancer_arn }}" when: _aws_ec2_elb is defined From 5c6c30043f6deac1e719e8ea30dd8b4dc99ce30b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 6 May 2024 17:29:12 +0200 Subject: [PATCH 118/331] Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. --- docs/_Sidebar.md | 2 + docs/roles/aws/aws_ami_asg_cleanup.md | 20 ++++++++ docs/roles/debian/apt_repository.md | 45 ++++++++++++++++++ docs/roles/debian/mysql_server_oracle_ce.md | 9 ++-- roles/_exit/tasks/main.yml | 6 +++ roles/aws/aws_ami_asg_cleanup/README.md | 1 + roles/debian/ansible/tasks/main.yml | 3 +- roles/debian/apt_repository/README.md | 45 ++++++++++++++++++ roles/debian/apt_repository/defaults/main.yml | 16 +++++++ roles/debian/apt_repository/tasks/main.yml | 46 +++++++++++++++++++ .../apt_repository/templates/refresh_key.j2 | 14 ++++++ .../mysql_server_mariadb/defaults/main.yml | 5 +- .../templates/mysql_dev.cnf.j2 | 2 +- roles/debian/mysql_server_oracle_ce/README.md | 9 ++-- .../mysql_server_oracle_ce/defaults/main.yml | 7 +-- .../mysql_server_oracle_ce/tasks/main.yml | 33 +++++++------ .../templates/mysql.pref.j2 | 2 +- .../templates/mysql_dev.cnf.j2 | 9 ++-- .../templates/startup.sh.j2 | 2 +- 19 files changed, 238 insertions(+), 38 deletions(-) create mode 100644 docs/roles/aws/aws_ami_asg_cleanup.md create mode 100644 docs/roles/debian/apt_repository.md create mode 100644 roles/debian/apt_repository/README.md create mode 100644 roles/debian/apt_repository/defaults/main.yml create mode 100644 roles/debian/apt_repository/tasks/main.yml create mode 100644 roles/debian/apt_repository/templates/refresh_key.j2 diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index e65b520cb..a36dc3b05 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -6,6 +6,7 @@ - [AWS Infrastructure](/roles/aws) - [AWS ACL](/roles/aws/aws_acl) - [AWS Certificate Manager](/roles/aws/aws_acm) + - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup) - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) @@ -34,6 +35,7 @@ - [APACHE](/roles/debian/apache) - [Apparmor](/roles/debian/apparmor) - [Extra packages](/roles/debian/apt_extra_packages) + - [APT Repository](/roles/debian/apt_repository) - [APT Unattended Upgrades](/roles/debian/apt_unattended_upgrades) - [AWS CLI](/roles/debian/aws_cli) - [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent) diff --git a/docs/roles/aws/aws_ami_asg_cleanup.md b/docs/roles/aws/aws_ami_asg_cleanup.md new file mode 100644 index 000000000..9db57fe38 --- /dev/null +++ b/docs/roles/aws/aws_ami_asg_cleanup.md @@ -0,0 +1,20 @@ +# AWS AMI ASG Cleanup +Creates an scheduler and lambda function to remove old AMIs + + + + +## Default variables +```yaml +--- +aws_ami_asg_cleanup: + memory_size: 128 # Memory allocation for Lambda function in MB + timeout: 40 # Time in seconds, max is 900 + handler: "clean_up_ami.lambda_handler" # Change this only if the main_file.main_function name is changed + runtime: "python3.12" # If the python version changes we need to update this as well + keep_backups: 10 + scheduler_cron: "cron(0 16 ? * SUN *)" + +``` + + diff --git a/docs/roles/debian/apt_repository.md b/docs/roles/debian/apt_repository.md new file mode 100644 index 000000000..fc712e315 --- /dev/null +++ b/docs/roles/debian/apt_repository.md @@ -0,0 +1,45 @@ +# APT Repository +Role for handling the installation and management of APT repos. Uses the DEB822 format. + +The variables `uris`, `suites` and `components` combine to build an APT repository request, for example these are the variables for the MySQL 8.0 repository: + +```yaml + uris: + - http://repo.mysql.com/apt/debian/ + suites: + - "{{ ansible_distribution_release }}" + components: + - mysql-8.0 +``` + +This example results in APT referring to the following URI on a Debian 11 (bullseye) system: https://repo.mysql.com/apt/debian/dists/bullseye/mysql-8.0/ + +## Installing with key fingerprints +This role does not currently support importing keys from a key server. Since key servers are deprecated, it likely never will. You should either provide an ASCII armored key as a block of text or the URL of a GPG or ASCII armored key. + + + + + +## Default variables +```yaml +--- +apt_repository: + legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + name: example + types: + - deb + uris: + - https://example.com/apt + #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents + #suites: + # - "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/docs/roles/debian/mysql_server_oracle_ce.md b/docs/roles/debian/mysql_server_oracle_ce.md index 38ce85292..df5f72332 100644 --- a/docs/roles/debian/mysql_server_oracle_ce.md +++ b/docs/roles/debian/mysql_server_oracle_ce.md @@ -2,15 +2,16 @@ -Installs MySQL Server 5.7. +Installs MySQL Server 8.0 by default. ## Default variables ```yaml --- -mysql_long_query_time: 4 -mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: keyserver.ubuntu.com +mysql_server: + long_query_time: 4 + apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 + apt_repo_version: mysql-8.0 ``` diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 6f1111af0..d39e7751c 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -12,3 +12,9 @@ content: "{{ current_play_dir_md5 }}" dest: "{{ _ce_provision_data_dir }}/{{ current_play_md5_file }}" delegate_to: localhost + +# Tidy up any unneeded APT packages. +- name: Remove dependencies that are no longer required. + ansible.builtin.apt: + autoremove: true + become: true diff --git a/roles/aws/aws_ami_asg_cleanup/README.md b/roles/aws/aws_ami_asg_cleanup/README.md index 47fb1558f..9db57fe38 100644 --- a/roles/aws/aws_ami_asg_cleanup/README.md +++ b/roles/aws/aws_ami_asg_cleanup/README.md @@ -14,6 +14,7 @@ aws_ami_asg_cleanup: runtime: "python3.12" # If the python version changes we need to update this as well keep_backups: 10 scheduler_cron: "cron(0 16 ? * SUN *)" + ``` diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 7cc09482b..55ddd724d 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -33,7 +33,7 @@ - python3-venv - cloud-init # package can get removed with python3-yaml but we need it for auto-scale -- name: Install pip and Ansible. +- name: Install pip, python-debian and Ansible. ansible.builtin.include_role: name: debian/python_pip_packages vars: @@ -42,6 +42,7 @@ - name: pip state: latest - name: ansible + - name: python-debian - name: Install linters. ansible.builtin.include_role: diff --git a/roles/debian/apt_repository/README.md b/roles/debian/apt_repository/README.md new file mode 100644 index 000000000..fc712e315 --- /dev/null +++ b/roles/debian/apt_repository/README.md @@ -0,0 +1,45 @@ +# APT Repository +Role for handling the installation and management of APT repos. Uses the DEB822 format. + +The variables `uris`, `suites` and `components` combine to build an APT repository request, for example these are the variables for the MySQL 8.0 repository: + +```yaml + uris: + - http://repo.mysql.com/apt/debian/ + suites: + - "{{ ansible_distribution_release }}" + components: + - mysql-8.0 +``` + +This example results in APT referring to the following URI on a Debian 11 (bullseye) system: https://repo.mysql.com/apt/debian/dists/bullseye/mysql-8.0/ + +## Installing with key fingerprints +This role does not currently support importing keys from a key server. Since key servers are deprecated, it likely never will. You should either provide an ASCII armored key as a block of text or the URL of a GPG or ASCII armored key. + + + + + +## Default variables +```yaml +--- +apt_repository: + legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + name: example + types: + - deb + uris: + - https://example.com/apt + #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents + #suites: + # - "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/roles/debian/apt_repository/defaults/main.yml b/roles/debian/apt_repository/defaults/main.yml new file mode 100644 index 000000000..36724475a --- /dev/null +++ b/roles/debian/apt_repository/defaults/main.yml @@ -0,0 +1,16 @@ +--- +apt_repository: + legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + name: example + types: + - deb + uris: + - https://example.com/apt + #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents + #suites: + # - "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml new file mode 100644 index 000000000..3512ccc95 --- /dev/null +++ b/roles/debian/apt_repository/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- name: Remove legacy repository from sources list. + ansible.builtin.apt_repository: + repo: "{{ apt_repository.legacy_repo }}" + state: absent + when: apt_repository.legacy_repo | length > 0 + +# See https://docs.ansible.com/ansible/latest/collections/ansible/builtin/deb822_repository_module.html +- name: Add APT repository in DEB822 format. + ansible.builtin.deb822_repository: + name: "{{ apt_repository.name }}" + types: "{{ apt_repository.types }}" + uris: "{{ apt_repository.uris }}" + signed_by: "{{ apt_repository.signed_by | default(omit) }}" + suites: "{{ apt_repository.suites | default(omit) }}" + components: "{{ apt_repository.components }}" + state: "{{ apt_repository.state }}" + enabled: "{{ apt_repository.enabled }}" + register: _apt_repository + +- name: Install systemd timer to renew the key every week. + when: + - apt_repository.signed_by is defined + - apt_repository.signed_by | length > 0 + - apt_repository.signed_by is url # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/url_test.html + block: + - name: Create script to refresh APT repository key. + ansible.builtin.template: + src: "refresh_key.j2" + dest: "/usr/local/bin/{{ apt_repository.name }}_key_refresh" + owner: root + group: root + mode: "0755" + + - name: Set up a systemd timer to refresh APT repository key. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + mysql_apt_key_refresh: + timer_command: "/usr/local/bin/{{ apt_repository.name }}_key_refresh" + timer_OnCalendar: "{{ apt_repository.key_refresh_timer_OnCalendar }}" + +- name: Update the APT cache. + ansible.builtin.apt: + update_cache: true diff --git a/roles/debian/apt_repository/templates/refresh_key.j2 b/roles/debian/apt_repository/templates/refresh_key.j2 new file mode 100644 index 000000000..2093dfd3d --- /dev/null +++ b/roles/debian/apt_repository/templates/refresh_key.j2 @@ -0,0 +1,14 @@ +#!/bin/bash + +# Ansible managed +# Simple bash script to download the APT repository public key and replace the existing one. + +cd $(mktemp -d) +curl -fsS -o key.tmp "{{ apt_repository.signed_by }}" + +sudo install -D -o root -g root -m 644 key.tmp {{ _apt_repository.key_filename }} + +rm -r $(pwd) +cd - > /dev/null + +apt-get update -y diff --git a/roles/debian/mysql_server_mariadb/defaults/main.yml b/roles/debian/mysql_server_mariadb/defaults/main.yml index 67c066cf6..1df594dc5 100644 --- a/roles/debian/mysql_server_mariadb/defaults/main.yml +++ b/roles/debian/mysql_server_mariadb/defaults/main.yml @@ -1,4 +1,3 @@ --- -mysql_long_query_time: 4 -mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: pgp.mit.edu \ No newline at end of file +mysql_server: + long_query_time: 4 diff --git a/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 index 66d4dd334..3b55b82dd 100644 --- a/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 +++ b/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 @@ -7,7 +7,7 @@ slow_query_log_file = /var/log/mysql/slow-query.log log_slow_admin_statements = 1 general_log = 1 log_queries_not_using_indexes = 1 -long_query_time = {{ mysql_long_query_time }} +long_query_time = {{ mysql_server.long_query_time }} skip-host-cache skip-name-resolve key_buffer_size = 128M diff --git a/roles/debian/mysql_server_oracle_ce/README.md b/roles/debian/mysql_server_oracle_ce/README.md index 38ce85292..df5f72332 100644 --- a/roles/debian/mysql_server_oracle_ce/README.md +++ b/roles/debian/mysql_server_oracle_ce/README.md @@ -2,15 +2,16 @@ -Installs MySQL Server 5.7. +Installs MySQL Server 8.0 by default. ## Default variables ```yaml --- -mysql_long_query_time: 4 -mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: keyserver.ubuntu.com +mysql_server: + long_query_time: 4 + apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 + apt_repo_version: mysql-8.0 ``` diff --git a/roles/debian/mysql_server_oracle_ce/defaults/main.yml b/roles/debian/mysql_server_oracle_ce/defaults/main.yml index e2c7fac86..eb1baaf4f 100644 --- a/roles/debian/mysql_server_oracle_ce/defaults/main.yml +++ b/roles/debian/mysql_server_oracle_ce/defaults/main.yml @@ -1,4 +1,5 @@ --- -mysql_long_query_time: 4 -mysql_server_oracle_ce_key: "8C718D3B5072E1F5" # archive key - see https://dev.mysql.com/doc/refman/8.0/en/gpg-key-archived-packages.html -mysql_server_oracle_ce_key_server: keyserver.ubuntu.com +mysql_server: + long_query_time: 4 + apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 + apt_repo_version: mysql-8.0 diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 46919421b..558b3201b 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -1,20 +1,25 @@ --- #@todo Configuration is for dev. -- name: Add repository key for MySQL repository using wget and apt-key - ansible.builtin.shell: "set -o pipefail && wget -q -O - https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 | apt-key add -" - args: - executable: /bin/bash - -- name: Add repository for MySQL. - ansible.builtin.apt_repository: - repo: "deb http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-8.0" - state: present - -- name: Add source repository for MySQL. - ansible.builtin.apt_repository: - repo: "deb-src http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} mysql-8.0" - state: present +- name: Add MySQL repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} {{ mysql_server.apt_repo_version }}" + name: mysql + types: + - deb + - deb-src + uris: + - http://repo.mysql.com/apt/debian/ + signed_by: "{{ mysql_server.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - "{{ mysql_server.apt_repo_version }}" + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - name: Pin MySQL packages. ansible.builtin.template: diff --git a/roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 b/roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 index 69c7d396c..a6a252061 100644 --- a/roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 +++ b/roles/debian/mysql_server_oracle_ce/templates/mysql.pref.j2 @@ -1,3 +1,3 @@ Package: * Pin: origin repo.mysql.com -Pin-Priority: 1001 \ No newline at end of file +Pin-Priority: 1001 diff --git a/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 index 11bbe6ac8..5f160cf02 100644 --- a/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 +++ b/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 @@ -2,13 +2,13 @@ bind-address = 0.0.0.0 character_set_server = utf8 collation_server = utf8_general_ci -log_syslog = 1 +log_error_services = 'log_filter_internal; log_sink_syseventlog' # change to log_syslog = 1 for MySQL 5.7 and lower slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow-query.log log_slow_admin_statements = 1 general_log = 1 log_queries_not_using_indexes = 1 -long_query_time = {{ mysql_long_query_time }} +long_query_time = {{ mysql_server.long_query_time }} skip-host-cache skip-name-resolve key_buffer_size = 128M @@ -23,9 +23,6 @@ max_connections = 300 open_files_limit= 2000 tmp_table_size= 128M max_heap_table_size = 128M -query_cache_size= 1G -query_cache_limit = 128M -query_cache_type= 1 join_buffer_size = 512M sql_mode = NO_ENGINE_SUBSTITUTION innodb_buffer_pool_size= 512M @@ -36,4 +33,4 @@ innodb_io_capacity = 400 innodb_file_per_table= 1 innodb_flush_log_at_trx_commit = 1 sync_binlog= 100 -innodb_stats_on_metadata = 0 \ No newline at end of file +innodb_stats_on_metadata = 0 diff --git a/roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 b/roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 index b6bb4617e..8a4612626 100644 --- a/roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 +++ b/roles/debian/mysql_server_oracle_ce/templates/startup.sh.j2 @@ -19,4 +19,4 @@ chmod -R 777 /run/mysqld touch /var/lib/mysql find /var/lib/mysql -exec touch -c {} + -/usr/sbin/service mysql start \ No newline at end of file +/usr/sbin/service mysql start From d6924b260f09e13e0a0987a554d7766f97d750e5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 7 May 2024 17:08:34 +0200 Subject: [PATCH 119/331] Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. --- docs/_Sidebar.md | 4 +- docs/roles/debian/apt_repository.md | 6 +- docs/roles/debian/docker_ce.md | 15 ++ docs/roles/debian/docker_registry.md | 19 ++ docs/roles/debian/gitlab.md | 1 + docs/roles/debian/gitlab_runner.md | 1 + docs/roles/debian/jenkins.md | 1 + docs/roles/debian/jitsi.md | 1 + docs/roles/debian/lhci.md | 1 + docs/roles/debian/mysql_server_oracle_ce.md | 3 +- docs/roles/debian/nodejs.md | 2 + docs/roles/debian/ossec.md | 174 ------------------ docs/roles/debian/pam_linotp.md | 19 ++ docs/roles/debian/php-common.md | 1 + docs/roles/debian/python_common.md | 2 + .../debian/apt_extra_packages/tasks/main.yml | 5 + roles/debian/apt_repository/README.md | 6 +- roles/debian/apt_repository/defaults/main.yml | 6 +- roles/debian/apt_repository/tasks/main.yml | 45 ++++- .../apt_repository/templates/refresh_key.j2 | 2 +- roles/debian/docker_ce/README.md | 15 ++ roles/debian/docker_ce/defaults/main.yml | 5 + roles/debian/docker_ce/tasks/main.yml | 58 ++++-- roles/debian/docker_compose/defaults/main.yml | 3 - roles/debian/docker_compose/meta/main.yml | 3 - roles/debian/docker_compose/tasks/main.yml | 6 - roles/debian/docker_registry/README.md | 19 ++ .../debian/docker_registry/defaults/main.yml | 3 +- roles/debian/docker_registry/meta/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 4 +- roles/debian/gitlab/README.md | 1 + roles/debian/gitlab/defaults/main.yml | 1 + roles/debian/gitlab/tasks/main.yml | 41 +++-- roles/debian/gitlab_runner/README.md | 1 + roles/debian/gitlab_runner/defaults/main.yml | 1 + roles/debian/gitlab_runner/tasks/main.yml | 41 +++-- roles/debian/jenkins/README.md | 1 + roles/debian/jenkins/defaults/main.yml | 1 + roles/debian/jenkins/tasks/main.yml | 31 ++-- .../templates/jenkins-cert-renewal.sh.j2 | 2 +- roles/debian/jitsi/README.md | 1 + roles/debian/jitsi/defaults/main.yml | 1 + roles/debian/jitsi/tasks/main.yml | 28 ++- roles/debian/lhci/README.md | 1 + roles/debian/lhci/defaults/main.yml | 1 + roles/debian/lhci/tasks/main.yml | 28 ++- roles/debian/mysql_server_oracle_ce/README.md | 3 +- .../mysql_server_oracle_ce/defaults/main.yml | 3 +- .../mysql_server_oracle_ce/tasks/main.yml | 24 ++- roles/debian/nodejs/README.md | 2 + roles/debian/nodejs/defaults/main.yml | 2 + roles/debian/nodejs/tasks/main.yml | 68 ++++--- roles/debian/openjdk/defaults/main.yml | 2 +- roles/debian/ossec/README.md | 174 ------------------ roles/debian/ossec/defaults/main.yml | 162 ---------------- roles/debian/ossec/files/local_rules.xml | 57 ------ .../debian/ossec/files/ossec-client-logrotate | 10 - roles/debian/ossec/handlers/main.yml | 14 -- roles/debian/ossec/tasks/main.yml | 29 --- roles/debian/ossec/tasks/ossec-client.yml | 27 --- roles/debian/ossec/tasks/ossec-server.yml | 56 ------ roles/debian/ossec/templates/authd.pass.j2 | 1 - roles/debian/ossec/templates/ossec.conf.j2 | 106 ----------- .../debian/ossec/templates/ossec_watchdog.j2 | 17 -- roles/debian/pam_linotp/README.md | 19 ++ roles/debian/pam_linotp/defaults/main.yml | 1 + roles/debian/pam_linotp/tasks/main.yml | 28 ++- roles/debian/php-common/README.md | 1 + roles/debian/php-common/defaults/main.yml | 1 + roles/debian/php-common/tasks/main.yml | 30 +-- roles/debian/php_blackfire/defaults/main.yml | 1 + roles/debian/php_blackfire/tasks/main.yml | 28 ++- roles/debian/python_common/README.md | 2 + roles/debian/python_common/defaults/main.yml | 3 +- 74 files changed, 492 insertions(+), 992 deletions(-) create mode 100644 docs/roles/debian/docker_ce.md create mode 100644 docs/roles/debian/docker_registry.md delete mode 100644 docs/roles/debian/ossec.md create mode 100644 docs/roles/debian/pam_linotp.md create mode 100644 roles/debian/docker_ce/README.md create mode 100644 roles/debian/docker_ce/defaults/main.yml delete mode 100644 roles/debian/docker_compose/defaults/main.yml delete mode 100644 roles/debian/docker_compose/meta/main.yml delete mode 100644 roles/debian/docker_compose/tasks/main.yml create mode 100644 roles/debian/docker_registry/README.md delete mode 100644 roles/debian/ossec/README.md delete mode 100644 roles/debian/ossec/defaults/main.yml delete mode 100644 roles/debian/ossec/files/local_rules.xml delete mode 100644 roles/debian/ossec/files/ossec-client-logrotate delete mode 100644 roles/debian/ossec/handlers/main.yml delete mode 100644 roles/debian/ossec/tasks/main.yml delete mode 100644 roles/debian/ossec/tasks/ossec-client.yml delete mode 100644 roles/debian/ossec/tasks/ossec-server.yml delete mode 100644 roles/debian/ossec/templates/authd.pass.j2 delete mode 100644 roles/debian/ossec/templates/ossec.conf.j2 delete mode 100644 roles/debian/ossec/templates/ossec_watchdog.j2 create mode 100644 roles/debian/pam_linotp/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index a36dc3b05..6386f333b 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -46,6 +46,8 @@ - [Automated patching](/roles/debian/ce_patcher) - [ce-provision](/roles/debian/ce_provision) - [ClamAV](/roles/debian/clamav) + - [Docker CE](/roles/debian/docker_ce) + - [Docker Registry](/roles/debian/docker_registry) - [Duplicity](/roles/debian/duplicity) - [Firewall Config](/roles/debian/firewall_config) - [Frontail](/roles/debian/frontail) @@ -65,8 +67,8 @@ - [NGINX](/roles/debian/nginx) - [NodeJS](/roles/debian/nodejs) - [OpenVPN](/roles/debian/openvpn) - - [OSSEC](/roles/debian/ossec) - [Packer](/roles/debian/packer) + - [PAM LinOTP](/roles/debian/pam_linotp) - [PHP terminal client](/roles/debian/php-cli) - [PHP common components](/roles/debian/php-common) - [PHP Composer](/roles/debian/php_composer) diff --git a/docs/roles/debian/apt_repository.md b/docs/roles/debian/apt_repository.md index fc712e315..bbe891595 100644 --- a/docs/roles/debian/apt_repository.md +++ b/docs/roles/debian/apt_repository.md @@ -26,14 +26,16 @@ This role does not currently support importing keys from a key server. Since key --- apt_repository: legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + format: deb822 # can be either deb822 or list for legacy repos + #list_repo_string: "http://pkg.jenkins.io/debian binary/" # if `format: list` is set we can override the auto-generated repo string here name: example types: - deb uris: - https://example.com/apt #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents - #suites: - # - "{{ ansible_distribution_release }}" + suites: + - "{{ ansible_distribution_release }}" components: - main state: present diff --git a/docs/roles/debian/docker_ce.md b/docs/roles/debian/docker_ce.md new file mode 100644 index 000000000..f72e9b992 --- /dev/null +++ b/docs/roles/debian/docker_ce.md @@ -0,0 +1,15 @@ +# Docker CE +Installs Docker Engine community edition and related tools. Will install the Docker Compose plugin by default. + + +## Default variables +```yaml +--- +docker_ce: + apt_origin: "origin=download.docker.com/linux,codename=${distro_codename},label=docker-ce" # used by apt_unattended_upgrades + apt_signed_by: https://download.docker.com/linux/debian/gpg + docker_compose: true + +``` + + diff --git a/docs/roles/debian/docker_registry.md b/docs/roles/debian/docker_registry.md new file mode 100644 index 000000000..6aaaabce1 --- /dev/null +++ b/docs/roles/debian/docker_registry.md @@ -0,0 +1,19 @@ +# Docker Registry +Provides a local Docker registry, predominantly used by [`ce-dev`](https://github.com/codeenigma/ce-dev/) and the `push` and `pull` commands, but can be used to create a Docker registry on any target host. It uses the official Docker registry image to spin up a container on the target host which hosts the registry. The provided `docker-compose.yml.j2` template can be overridden to provide an alternative Docker Compose service configuration. + + +## Default variables +```yaml +--- +docker_registry: + bind: 127.0.0.1 + port: 5000 + image_version: "2.8.3" # see https://hub.docker.com/_/registry + # Whether it is behind an Nginx proxy (for auth). + proxy: false +nginx: + client_max_body_size: 0 + +``` + + diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index 8db966602..c02282fd2 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -22,6 +22,7 @@ ldap_client: gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md index 10829036f..2804320b5 100644 --- a/docs/roles/debian/gitlab_runner.md +++ b/docs/roles/debian/gitlab_runner.md @@ -13,6 +13,7 @@ If you want to use AWS ECS with Fargate for orchestrating CI containers then set --- gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey concurrent_jobs: 10 check_interval: 0 session_timeout: 1800 diff --git a/docs/roles/debian/jenkins.md b/docs/roles/debian/jenkins.md index c4bc917dc..4fca080e8 100644 --- a/docs/roles/debian/jenkins.md +++ b/docs/roles/debian/jenkins.md @@ -15,6 +15,7 @@ ldap_client: bindpw: "" jenkins: + apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 diff --git a/docs/roles/debian/jitsi.md b/docs/roles/debian/jitsi.md index c6b927e9b..9ccafba12 100644 --- a/docs/roles/debian/jitsi.md +++ b/docs/roles/debian/jitsi.md @@ -7,6 +7,7 @@ Installs the Jitsi Meet video conferencing product. See https://jitsi.github.io/ ```yaml --- jitsi: + apt_signed_by: https://download.jitsi.org/jitsi-key.gpg.key server_name: "{{ _domain_name }}" email: admin@example.com ``` diff --git a/docs/roles/debian/lhci.md b/docs/roles/debian/lhci.md index 02dc6d181..3d1b3aad6 100644 --- a/docs/roles/debian/lhci.md +++ b/docs/roles/debian/lhci.md @@ -42,6 +42,7 @@ Note, this is not protected and should not be enabled in general. See also the c ```yaml --- lhci: + apt_signed_by: https://dl-ssl.google.com/linux/linux_signing_key.pub enable_vnc: false chrome_package: google-chrome-stable # optionally set specific version, e.g. google-chrome-stable=112.0.5615.165-1 # Optional npm version handling. diff --git a/docs/roles/debian/mysql_server_oracle_ce.md b/docs/roles/debian/mysql_server_oracle_ce.md index df5f72332..40fad3f72 100644 --- a/docs/roles/debian/mysql_server_oracle_ce.md +++ b/docs/roles/debian/mysql_server_oracle_ce.md @@ -9,9 +9,10 @@ Installs MySQL Server 8.0 by default. ```yaml --- mysql_server: - long_query_time: 4 + apt_origin: "origin=repo.mysql.com/apt,codename=${distro_codename},label=mysql" # used by apt_unattended_upgrades apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 apt_repo_version: mysql-8.0 + long_query_time: 4 ``` diff --git a/docs/roles/debian/nodejs.md b/docs/roles/debian/nodejs.md index e1fbf2181..1931faa13 100644 --- a/docs/roles/debian/nodejs.md +++ b/docs/roles/debian/nodejs.md @@ -9,7 +9,9 @@ Installs NodeJS from official repos. nodejs: # Used by apt_unattended_upgrades apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo + apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ npm_packages: [] #npm_packages: diff --git a/docs/roles/debian/ossec.md b/docs/roles/debian/ossec.md deleted file mode 100644 index 30d418e5d..000000000 --- a/docs/roles/debian/ossec.md +++ /dev/null @@ -1,174 +0,0 @@ -# OSSEC -The ossec role is used to install ossec server or client. - - - - -## Default variables -```yaml ---- -# defaults file for ossec - -ossec: - client: true - serverip: "123.123.123.123" - #auth_password should be 32 chars, lowercase letters and numbers, no symbols - auth_password: "xxx" - - global: - email_notification: "yes" - email_to: "admin@example.com" - smtp_server: "mail.google.com" - email_from: "admin@example.com" - white_list: - - "8.8.8.8" - - "4.4.4.4" - alerts: - log_alert_level: 1 - email_alert_level: 7 - - email_alerts: - email_to: "admin@example.com" - level: 14 - - ssl: - domain: "ossec.example.com" - handling: "selfsigned" - replace_existing: false - - syscheck: - frequency: 79200 - directories: - - /etc - - /usr/bin - - /usr/sbin - - /bin - - /sbin - ignore: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - - /etc/puppet - - /etc/resolv.conf - - /etc/hybserv - - rootcheck: - disabled: "no" - rootkit_files: - - /var/ossec/etc/shared/rootkit_files.txt - rootkit_trojans: - - /var/ossec/etc/shared/rootkit_trojans.txt - system_audit: - - /var/ossec/etc/shared/system_audit_rcl.txt - - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - - command: - - name: "firewall-drop" - executable: "firewall-drop.sh" - expect: "srcip" - timeout_allowed: "yes" - - activeresponse: - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" - repeated_offenders: "30,60,120" - timeout: "600" - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "100205" - repeated_offenders: "30,60,120" - timeout: "3600" - - remote: - connection: - - syslog - - secure - - localfile: - - { log_format: "syslog", location: "/var/log/messages" } - - { log_format: "syslog", location: "/var/log/auth.log" } - - { log_format: "syslog", location: "/var/log/syslog" } - - { log_format: "syslog", location: "/var/log/mail.info" } - - { log_format: "syslog", location: "/var/log/dpkg.log" } - - rules: - - rules_config.xml - - pam_rules.xml - - sshd_rules.xml - - telnetd_rules.xml - - syslog_rules.xml - - arpwatch_rules.xml - - symantec-av_rules.xml - - symantec-ws_rules.xml - - pix_rules.xml - - named_rules.xml - - smbd_rules.xml - - vsftpd_rules.xml - - proftpd_rules.xml - - ms_ftpd_rules.xml - - ftpd_rules.xml - - hordeimp_rules.xml - - roundcube_rules.xml - - wordpress_rules.xml - - cimserver_rules.xml - - vpopmail_rules.xml - - vmpop3d_rules.xml - - courier_rules.xml - - web_rules.xml - - web_appsec_rules.xml - - apache_rules.xml - - nginx_rules.xml - - php_rules.xml - - mysql_rules.xml - - postgresql_rules.xml - - ids_rules.xml - - squid_rules.xml - - firewall_rules.xml - - cisco-ios_rules.xml - - netscreenfw_rules.xml - - sonicwall_rules.xml - - postfix_rules.xml - - sendmail_rules.xml - - imapd_rules.xml - - mailscanner_rules.xml - - dovecot_rules.xml - - ms-exchange_rules.xml - - racoon_rules.xml - - vpn_concentrator_rules.xml - - spamd_rules.xml - - msauth_rules.xml - - mcafee_av_rules.xml - - trend-osce_rules.xml - - ms-se_rules.xml - - zeus_rules.xml - - solaris_bsm_rules.xml - - vmware_rules.xml - - ms_dhcp_rules.xml - - asterisk_rules.xml - - ossec_rules.xml - - attack_rules.xml - - openbsd_rules.xml - - clam_av_rules.xml - - dropbear_rules.xml - # - customer1_rules.xml - # - customer2_rules.xml - # - customerN_rules.xml - - local_rules.xml - -``` - - diff --git a/docs/roles/debian/pam_linotp.md b/docs/roles/debian/pam_linotp.md new file mode 100644 index 000000000..a041b09e5 --- /dev/null +++ b/docs/roles/debian/pam_linotp.md @@ -0,0 +1,19 @@ +# PAM LinOTP +Authentication module for integrating PAM logins with LinOTP second factor of authentication. We package this from source ourselves, as [LinOTP provide the source code on GitHub](https://github.com/LinOTP/linotp-auth-pam) but no APT package. + + +## Default variables +```yaml +--- +pam_linotp: + apt_signed_by: https://packages.codeenigma.net/debian/codeenigma.pub + # LinOTP endpoint. + endpoint: "" + # PAM policies. + su: true + sudo: true + ssh: true + +``` + + diff --git a/docs/roles/debian/php-common.md b/docs/roles/debian/php-common.md index a0c7a71e3..a89a082c0 100644 --- a/docs/roles/debian/php-common.md +++ b/docs/roles/debian/php-common.md @@ -12,6 +12,7 @@ Installs and configures PHP core and required components. php: version: - 8.1 # see https://www.php.net/supported-versions.php + apt_signed_by: https://packages.sury.org/php/apt.gpg apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades ``` diff --git a/docs/roles/debian/python_common.md b/docs/roles/debian/python_common.md index 94573f816..c2c5f9178 100644 --- a/docs/roles/debian/python_common.md +++ b/docs/roles/debian/python_common.md @@ -19,8 +19,10 @@ python_common: # Commonly required Python system packages install_packages: - python3-distutils + - python3-debian - python3-venv - cloud-init # package can get removed with python3-yaml but we need it for auto-scale + ``` diff --git a/roles/debian/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml index 8c688b0ed..83f8a5b4d 100644 --- a/roles/debian/apt_extra_packages/tasks/main.yml +++ b/roles/debian/apt_extra_packages/tasks/main.yml @@ -26,6 +26,11 @@ update_cache: true when: apt_list | length > 0 +- name: Ensure wget is installed. + ansible.builtin.apt: + pkg: wget + state: present + - name: Install additional wget extra packages. ansible.builtin.include_tasks: "wget_install.yml" when: wget_list | length > 0 diff --git a/roles/debian/apt_repository/README.md b/roles/debian/apt_repository/README.md index fc712e315..bbe891595 100644 --- a/roles/debian/apt_repository/README.md +++ b/roles/debian/apt_repository/README.md @@ -26,14 +26,16 @@ This role does not currently support importing keys from a key server. Since key --- apt_repository: legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + format: deb822 # can be either deb822 or list for legacy repos + #list_repo_string: "http://pkg.jenkins.io/debian binary/" # if `format: list` is set we can override the auto-generated repo string here name: example types: - deb uris: - https://example.com/apt #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents - #suites: - # - "{{ ansible_distribution_release }}" + suites: + - "{{ ansible_distribution_release }}" components: - main state: present diff --git a/roles/debian/apt_repository/defaults/main.yml b/roles/debian/apt_repository/defaults/main.yml index 36724475a..d64913c89 100644 --- a/roles/debian/apt_repository/defaults/main.yml +++ b/roles/debian/apt_repository/defaults/main.yml @@ -1,14 +1,16 @@ --- apt_repository: legacy_repo: "" # optionally provide repo string of old list file to clean up, we are creating a new DEB822 format source file + format: deb822 # can be either deb822 or list for legacy repos + #list_repo_string: "http://pkg.jenkins.io/debian binary/" # if `format: list` is set we can override the auto-generated repo string here name: example types: - deb uris: - https://example.com/apt #signed_by: https://example.com/apt-key.asc # either the path to the key or the key contents - #suites: - # - "{{ ansible_distribution_release }}" + suites: + - "{{ ansible_distribution_release }}" components: - main state: present diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index 3512ccc95..6300d0e3d 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -13,10 +13,53 @@ uris: "{{ apt_repository.uris }}" signed_by: "{{ apt_repository.signed_by | default(omit) }}" suites: "{{ apt_repository.suites | default(omit) }}" - components: "{{ apt_repository.components }}" + components: "{{ apt_repository.components | default(omit) }}" state: "{{ apt_repository.state }}" enabled: "{{ apt_repository.enabled }}" register: _apt_repository + when: apt_repository.format == 'deb822' + +# See https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_repository_module.html +# This method is obsolete, but some repositories still require it. +- name: Install legacy APT repository. + when: apt_repository.format == 'list' + block: + - name: Create repo string. + ansible.builtin.set_fact: + _apt_repository_list_repo_string: "{{ apt_repository.uris[0] }} {{ apt_repository.suites[0] }} {{ apt_repository.components[0] }}" + + - name: Overwrite repo string with provided value, if applicable. + ansible.builtin.set_fact: + _apt_repository_list_repo_string: "{{ apt_repository.list_repo_string }}" + when: + - apt_repository.list_repo_string is defined + - apt_repository.list_repo_string | length > 0 + + - name: Capture path to key for renewal script. + ansible.builtin.set_fact: + _apt_repository: + key_filename: "/etc/apt/keyrings/{{ apt_repository.name }}.asc" + + - name: Download repo key, if applicable. + ansible.builtin.get_url: + url: "{{ apt_repository.signed_by }}" + dest: "{{ _apt_repository.key_filename }}" + when: + - apt_repository.signed_by is defined + - apt_repository.signed_by | length > 0 + + - name: Add key to repo string, if applicable. + ansible.builtin.set_fact: + _apt_repository_list_repo_string: "[signed-by={{ _apt_repository.key_filename }}] {{ _apt_repository_list_repo_string }}" + when: + - apt_repository.signed_by is defined + - apt_repository.signed_by | length > 0 + + - name: Add APT repository in list format. + ansible.builtin.apt_repository: + repo: "{{ item }} {{ _apt_repository_list_repo_string }}" + state: "{{ apt_repository.state }}" + with_items: "{{ apt_repository.types }}" - name: Install systemd timer to renew the key every week. when: diff --git a/roles/debian/apt_repository/templates/refresh_key.j2 b/roles/debian/apt_repository/templates/refresh_key.j2 index 2093dfd3d..0da6c65a2 100644 --- a/roles/debian/apt_repository/templates/refresh_key.j2 +++ b/roles/debian/apt_repository/templates/refresh_key.j2 @@ -4,7 +4,7 @@ # Simple bash script to download the APT repository public key and replace the existing one. cd $(mktemp -d) -curl -fsS -o key.tmp "{{ apt_repository.signed_by }}" +wget -O key.tmp "{{ apt_repository.signed_by }}" sudo install -D -o root -g root -m 644 key.tmp {{ _apt_repository.key_filename }} diff --git a/roles/debian/docker_ce/README.md b/roles/debian/docker_ce/README.md new file mode 100644 index 000000000..f72e9b992 --- /dev/null +++ b/roles/debian/docker_ce/README.md @@ -0,0 +1,15 @@ +# Docker CE +Installs Docker Engine community edition and related tools. Will install the Docker Compose plugin by default. + + +## Default variables +```yaml +--- +docker_ce: + apt_origin: "origin=download.docker.com/linux,codename=${distro_codename},label=docker-ce" # used by apt_unattended_upgrades + apt_signed_by: https://download.docker.com/linux/debian/gpg + docker_compose: true + +``` + + diff --git a/roles/debian/docker_ce/defaults/main.yml b/roles/debian/docker_ce/defaults/main.yml new file mode 100644 index 000000000..aeebb48df --- /dev/null +++ b/roles/debian/docker_ce/defaults/main.yml @@ -0,0 +1,5 @@ +--- +docker_ce: + apt_origin: "origin=download.docker.com/linux,codename=${distro_codename},label=docker-ce" # used by apt_unattended_upgrades + apt_signed_by: https://download.docker.com/linux/debian/gpg + docker_compose: true diff --git a/roles/debian/docker_ce/tasks/main.yml b/roles/debian/docker_ce/tasks/main.yml index d6ec765e1..4cb727279 100644 --- a/roles/debian/docker_ce/tasks/main.yml +++ b/roles/debian/docker_ce/tasks/main.yml @@ -1,21 +1,57 @@ --- - name: Remove potential older packages. ansible.builtin.apt: - pkg: ["docker", "docker-engine", "docker.io", "containerd", "runc"] + pkg: + - docker + - docker-engine + - docker.io + - containerd + - runc state: absent -- name: Add repository key for Docker. - ansible.builtin.apt_key: - url: https://download.docker.com/linux/debian/gpg - state: present +- name: Add Docker repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + name: docker_ce + types: + - deb + uris: + - https://download.docker.com/linux/debian + signed_by: "{{ docker_ce.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - stable + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:10:00" -- name: Add repository for Docker. - ansible.builtin.apt_repository: - repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" - state: present +- name: Add Docker repository to unattended-upgrades origins list. + ansible.builtin.set_fact: + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ docker_ce.apt_origin ] }}" + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable + +- name: Install the unattended-upgrades config. + ansible.builtin.include_role: + name: debian/apt_unattended_upgrades + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Ensure Docker is installed. ansible.builtin.apt: - pkg: ["docker-ce", "docker-ce-cli"] + pkg: + - docker-ce + - docker-ce-cli + state: present + +- name: Ensure Docker Compose is installed. + ansible.builtin.apt: + pkg: + - docker-compose-plugin state: present - update_cache: true + when: docker_ce.docker_compose diff --git a/roles/debian/docker_compose/defaults/main.yml b/roles/debian/docker_compose/defaults/main.yml deleted file mode 100644 index 0ceaf3f14..000000000 --- a/roles/debian/docker_compose/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -docker_compose: - version: "1.24.0" diff --git a/roles/debian/docker_compose/meta/main.yml b/roles/debian/docker_compose/meta/main.yml deleted file mode 100644 index b696951fa..000000000 --- a/roles/debian/docker_compose/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: debian/docker_ce diff --git a/roles/debian/docker_compose/tasks/main.yml b/roles/debian/docker_compose/tasks/main.yml deleted file mode 100644 index 505fe026c..000000000 --- a/roles/debian/docker_compose/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Fetch docker-compose. - ansible.builtin.get_url: - url: https://github.com/docker/compose/releases/download/{{ docker_compose.version }}/docker-compose-Linux-x86_64 - dest: /usr/local/bin/docker-compose - mode: 0755 diff --git a/roles/debian/docker_registry/README.md b/roles/debian/docker_registry/README.md new file mode 100644 index 000000000..6aaaabce1 --- /dev/null +++ b/roles/debian/docker_registry/README.md @@ -0,0 +1,19 @@ +# Docker Registry +Provides a local Docker registry, predominantly used by [`ce-dev`](https://github.com/codeenigma/ce-dev/) and the `push` and `pull` commands, but can be used to create a Docker registry on any target host. It uses the official Docker registry image to spin up a container on the target host which hosts the registry. The provided `docker-compose.yml.j2` template can be overridden to provide an alternative Docker Compose service configuration. + + +## Default variables +```yaml +--- +docker_registry: + bind: 127.0.0.1 + port: 5000 + image_version: "2.8.3" # see https://hub.docker.com/_/registry + # Whether it is behind an Nginx proxy (for auth). + proxy: false +nginx: + client_max_body_size: 0 + +``` + + diff --git a/roles/debian/docker_registry/defaults/main.yml b/roles/debian/docker_registry/defaults/main.yml index ce0a9d379..c108164f1 100644 --- a/roles/debian/docker_registry/defaults/main.yml +++ b/roles/debian/docker_registry/defaults/main.yml @@ -2,7 +2,8 @@ docker_registry: bind: 127.0.0.1 port: 5000 - # Wether it is behind an Nginx proxy (for auth). + image_version: "2.8.3" # see https://hub.docker.com/_/registry + # Whether it is behind an Nginx proxy (for auth). proxy: false nginx: client_max_body_size: 0 diff --git a/roles/debian/docker_registry/meta/main.yml b/roles/debian/docker_registry/meta/main.yml index 92b6d77fd..f84ec29ca 100644 --- a/roles/debian/docker_registry/meta/main.yml +++ b/roles/debian/docker_registry/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - role: debian/docker_compose + - role: debian/docker_ce - { role: "debian/nginx", when: docker_registry.proxy } diff --git a/roles/debian/docker_registry/templates/docker-compose.yml.j2 b/roles/debian/docker_registry/templates/docker-compose.yml.j2 index b6551c838..e770991d9 100644 --- a/roles/debian/docker_registry/templates/docker-compose.yml.j2 +++ b/roles/debian/docker_registry/templates/docker-compose.yml.j2 @@ -2,10 +2,10 @@ version: "3.7" services: registry: - image: registry:2 + image: registry:{{ docker_registry.image_version }} restart: unless-stopped container_name: docker_registry {% if docker_registry.bind is defined and docker_registry.bind %} ports: - {{ docker_registry.bind }}:{{ docker_registry.port }}:5000 -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index 8db966602..c02282fd2 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -22,6 +22,7 @@ ldap_client: gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary diff --git a/roles/debian/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml index 8f4fd8c93..f09d68f18 100644 --- a/roles/debian/gitlab/defaults/main.yml +++ b/roles/debian/gitlab/defaults/main.yml @@ -9,6 +9,7 @@ ldap_client: gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index b7c9a9953..5bc6c7dec 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -29,30 +29,39 @@ - gitlab.mattermost_route_53.zone is defined - gitlab.mattermost_route_53.zone | length > 0 -- name: Add repository key for Gitlab. - ansible.builtin.apt_key: - url: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey - state: present - -- name: Add repository for Gitlab. - ansible.builtin.apt_repository: - repo: "deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ {{ ansible_distribution_release }} main" - state: present - -- name: Add source repository for Gitlab. - ansible.builtin.apt_repository: - repo: "deb-src https://packages.gitlab.com/gitlab/gitlab-ce/debian/ {{ ansible_distribution_release }} main" - state: present +- name: Add GitLab repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ {{ ansible_distribution_release }} main" + name: gitlab + types: + - deb + - deb-src + uris: + - https://packages.gitlab.com/gitlab/gitlab-ce/debian/ + signed_by: "{{ gitlab.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:20:00" - name: Add GitLab repository to unattended-upgrades origins list. ansible.builtin.set_fact: _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab.apt_origin ] }}" - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Install the unattended-upgrades config. ansible.builtin.include_role: name: debian/apt_unattended_upgrades - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Ensure Gitlab is installed. ansible.builtin.apt: diff --git a/roles/debian/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md index 10829036f..2804320b5 100644 --- a/roles/debian/gitlab_runner/README.md +++ b/roles/debian/gitlab_runner/README.md @@ -13,6 +13,7 @@ If you want to use AWS ECS with Fargate for orchestrating CI containers then set --- gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey concurrent_jobs: 10 check_interval: 0 session_timeout: 1800 diff --git a/roles/debian/gitlab_runner/defaults/main.yml b/roles/debian/gitlab_runner/defaults/main.yml index ba1c1d48e..af891d799 100644 --- a/roles/debian/gitlab_runner/defaults/main.yml +++ b/roles/debian/gitlab_runner/defaults/main.yml @@ -1,6 +1,7 @@ --- gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey concurrent_jobs: 10 check_interval: 0 session_timeout: 1800 diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 47b32ac4c..cbae5c255 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -1,28 +1,37 @@ --- -- name: Add repository key for Gitlab Runner. - ansible.builtin.apt_key: - url: https://packages.gitlab.com/runner/gitlab-runner/gpgkey - state: present - -- name: Add repository for Gitlab Runner. - ansible.builtin.apt_repository: - repo: "deb https://packages.gitlab.com/runner/gitlab-runner/debian/ {{ ansible_distribution_release }} main" - state: present - -- name: Add source repository for Gitlab Runner. - ansible.builtin.apt_repository: - repo: "deb-src https://packages.gitlab.com/runner/gitlab-runner/debian/ {{ ansible_distribution_release }} main" - state: present +- name: Add GitLab Runner repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://packages.gitlab.com/runner/gitlab-runner/debian/ {{ ansible_distribution_release }} main" + name: gitlab_runner + types: + - deb + - deb-src + uris: + - https://packages.gitlab.com/runner/gitlab-runner/debian/ + signed_by: "{{ gitlab_runner.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:30:00" - name: Add GitLab Runner repository to unattended-upgrades origins list. ansible.builtin.set_fact: _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab_runner.apt_origin ] }}" - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Install the unattended-upgrades config. ansible.builtin.include_role: name: debian/apt_unattended_upgrades - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Ensure Gitlab Runner is installed. ansible.builtin.apt: diff --git a/roles/debian/jenkins/README.md b/roles/debian/jenkins/README.md index c4bc917dc..4fca080e8 100644 --- a/roles/debian/jenkins/README.md +++ b/roles/debian/jenkins/README.md @@ -15,6 +15,7 @@ ldap_client: bindpw: "" jenkins: + apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 diff --git a/roles/debian/jenkins/defaults/main.yml b/roles/debian/jenkins/defaults/main.yml index 34cc855e5..39c1a1c64 100644 --- a/roles/debian/jenkins/defaults/main.yml +++ b/roles/debian/jenkins/defaults/main.yml @@ -7,6 +7,7 @@ ldap_client: bindpw: "" jenkins: + apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 diff --git a/roles/debian/jenkins/tasks/main.yml b/roles/debian/jenkins/tasks/main.yml index 6262d4478..e1d47742d 100644 --- a/roles/debian/jenkins/tasks/main.yml +++ b/roles/debian/jenkins/tasks/main.yml @@ -1,17 +1,26 @@ --- -- name: Add repository key for Jenkins. - ansible.builtin.apt_key: - url: https://pkg.jenkins.io/debian/jenkins.io.key - state: present - -- name: Add repository for Jenkins. - ansible.builtin.apt_repository: - repo: "deb http://pkg.jenkins.io/debian binary/" - state: present +- name: Add Jenkins repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb http://pkg.jenkins.io/debian binary/" + format: list # Jenkins repo does not support deb822 + list_repo_string: "http://pkg.jenkins.io/debian binary/" # override automated repo string generation + name: jenkins + types: + - deb + uris: + - http://pkg.jenkins.io/debian + signed_by: "{{ jenkins.apt_signed_by }}" + state: present + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" + +# @TODO add to unattended-upgrades - name: Ensure Jenkins is installed. ansible.builtin.apt: - pkg: "jenkins" + pkg: jenkins state: present update_cache: true register: aptoutput @@ -31,7 +40,7 @@ register: jenkins_keystore - name: Convert SSL key to intermediate PK12. - ansible.builtin.command: "openssl pkcs12 -export -out /dev/shm/jenkins_keystore.p12 -passout 'pass:{{ jenkins.keystore_pass }}' -inkey {{ _ssl_paths[jenkins.server_name].key }} -in {{ _ssl_paths[jenkins.server_name].certificate }} -name {{ jenkins.server_name }}" + ansible.builtin.command: "openssl pkcs12 -export -out /dev/shm/jenkins_keystore.p12 -passout 'pass:{{ jenkins.keystore_pass }}' -inkey {{ ssl_facts[jenkins.server_name].key }} -in {{ ssl_facts[jenkins.server_name].certificate }} -name {{ jenkins.server_name }}" when: not jenkins_keystore.stat.exists - name: Convert PK12 to keystore. diff --git a/roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 b/roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 index 08e813767..b48d76443 100644 --- a/roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 +++ b/roles/debian/jenkins/templates/jenkins-cert-renewal.sh.j2 @@ -1,7 +1,7 @@ #!/bin/bash mv /var/lib/jenkins/{{ jenkins.server_name }}.jks /var/lib/jenkins/{{ jenkins.server_name }}.jks.bak -openssl pkcs12 -export -out /dev/shm/jenkins_keystore.p12 -passout 'pass:{{ jenkins.keystore_pass }}' -inkey {{ _ssl_paths[jenkins.server_name].key }} -in {{ _ssl_paths[jenkins.server_name].certificate }} -name {{ jenkins.server_name }} +openssl pkcs12 -export -out /dev/shm/jenkins_keystore.p12 -passout 'pass:{{ jenkins.keystore_pass }}' -inkey {{ ssl_facts[jenkins.server_name].key }} -in {{ ssl_facts[jenkins.server_name].certificate }} -name {{ jenkins.server_name }} keytool -importkeystore -srckeystore /dev/shm/jenkins_keystore.p12 -srcstorepass '{{ jenkins.keystore_pass }}' -srcstoretype PKCS12 -srcalias {{ jenkins.server_name }} -deststoretype JKS -destkeystore /var/lib/jenkins/{{ jenkins.server_name }}.jks -deststorepass '{{ jenkins.keystore_pass }}' -destalias {{ jenkins.server_name }} chown -R "{{ jenkins.user }}":"{{ jenkins.user }}" /var/lib/jenkins chown -R "{{ jenkins.user }}":"{{ jenkins.user }}" /var/cache/jenkins diff --git a/roles/debian/jitsi/README.md b/roles/debian/jitsi/README.md index c6b927e9b..9ccafba12 100644 --- a/roles/debian/jitsi/README.md +++ b/roles/debian/jitsi/README.md @@ -7,6 +7,7 @@ Installs the Jitsi Meet video conferencing product. See https://jitsi.github.io/ ```yaml --- jitsi: + apt_signed_by: https://download.jitsi.org/jitsi-key.gpg.key server_name: "{{ _domain_name }}" email: admin@example.com ``` diff --git a/roles/debian/jitsi/defaults/main.yml b/roles/debian/jitsi/defaults/main.yml index 6fb45ff55..87d8cc7e7 100644 --- a/roles/debian/jitsi/defaults/main.yml +++ b/roles/debian/jitsi/defaults/main.yml @@ -1,4 +1,5 @@ --- jitsi: + apt_signed_by: https://download.jitsi.org/jitsi-key.gpg.key server_name: "{{ _domain_name }}" email: admin@example.com \ No newline at end of file diff --git a/roles/debian/jitsi/tasks/main.yml b/roles/debian/jitsi/tasks/main.yml index 11669216e..ec485f6ba 100644 --- a/roles/debian/jitsi/tasks/main.yml +++ b/roles/debian/jitsi/tasks/main.yml @@ -1,14 +1,22 @@ --- -- name: Add Jitsi key. - ansible.builtin.shell: "set -o pipefail && wget -q -O - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -" - args: - executable: /bin/bash - -- name: Install Jitsi repo. - ansible.builtin.apt_repository: - repo: deb https://download.jitsi.org stable/ - state: present - filename: jitsi-stable +- name: Add Jitsi repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://download.jitsi.org stable/" + format: list # Jitsi repo does not support deb822 + list_repo_string: "https://download.jitsi.org stable/" + name: jitsi + types: + - deb + uris: + - https://download.jitsi.org + signed_by: "{{ jitsi.apt_signed_by }}" + state: present + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" + +# @TODO add to unattended-upgrades - name: Update system settings for Jitsi. ansible.builtin.blockinfile: diff --git a/roles/debian/lhci/README.md b/roles/debian/lhci/README.md index 02dc6d181..3d1b3aad6 100644 --- a/roles/debian/lhci/README.md +++ b/roles/debian/lhci/README.md @@ -42,6 +42,7 @@ Note, this is not protected and should not be enabled in general. See also the c ```yaml --- lhci: + apt_signed_by: https://dl-ssl.google.com/linux/linux_signing_key.pub enable_vnc: false chrome_package: google-chrome-stable # optionally set specific version, e.g. google-chrome-stable=112.0.5615.165-1 # Optional npm version handling. diff --git a/roles/debian/lhci/defaults/main.yml b/roles/debian/lhci/defaults/main.yml index afd2d9393..3a2e83dad 100644 --- a/roles/debian/lhci/defaults/main.yml +++ b/roles/debian/lhci/defaults/main.yml @@ -1,5 +1,6 @@ --- lhci: + apt_signed_by: https://dl-ssl.google.com/linux/linux_signing_key.pub enable_vnc: false chrome_package: google-chrome-stable # optionally set specific version, e.g. google-chrome-stable=112.0.5615.165-1 # Optional npm version handling. diff --git a/roles/debian/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml index 56c1fd9c9..c32415e79 100644 --- a/roles/debian/lhci/tasks/main.yml +++ b/roles/debian/lhci/tasks/main.yml @@ -1,14 +1,24 @@ --- -- name: Add Google Chrome key. - ansible.builtin.shell: "set -o pipefail && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -" - args: - executable: /bin/bash +- name: Add Google Chrome repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb http://dl.google.com/linux/chrome/deb/ stable main" + name: google_chrome + types: + - deb + uris: + - http://dl.google.com/linux/chrome/deb/ + signed_by: "{{ lhci.apt_signed_by }}" + suites: stable + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" -- name: Install Google Chrome repo. - ansible.builtin.apt_repository: - repo: deb http://dl.google.com/linux/chrome/deb/ stable main - state: present - filename: google-chrome +# @TODO add to unattended-upgrades - name: Install Google Chrome "headful" mode dependencies. ansible.builtin.apt: diff --git a/roles/debian/mysql_server_oracle_ce/README.md b/roles/debian/mysql_server_oracle_ce/README.md index df5f72332..40fad3f72 100644 --- a/roles/debian/mysql_server_oracle_ce/README.md +++ b/roles/debian/mysql_server_oracle_ce/README.md @@ -9,9 +9,10 @@ Installs MySQL Server 8.0 by default. ```yaml --- mysql_server: - long_query_time: 4 + apt_origin: "origin=repo.mysql.com/apt,codename=${distro_codename},label=mysql" # used by apt_unattended_upgrades apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 apt_repo_version: mysql-8.0 + long_query_time: 4 ``` diff --git a/roles/debian/mysql_server_oracle_ce/defaults/main.yml b/roles/debian/mysql_server_oracle_ce/defaults/main.yml index eb1baaf4f..9784efa54 100644 --- a/roles/debian/mysql_server_oracle_ce/defaults/main.yml +++ b/roles/debian/mysql_server_oracle_ce/defaults/main.yml @@ -1,5 +1,6 @@ --- mysql_server: - long_query_time: 4 + apt_origin: "origin=repo.mysql.com/apt,codename=${distro_codename},label=mysql" # used by apt_unattended_upgrades apt_signed_by: https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 apt_repo_version: mysql-8.0 + long_query_time: 4 diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 558b3201b..956467ae7 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -30,9 +30,23 @@ mode: 0644 force: true -- name: Ensure mysql is installed. +- name: Add MySQL repository to unattended-upgrades origins list. + ansible.builtin.set_fact: + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ mysql_server.apt_origin ] }}" + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable + +- name: Install the unattended-upgrades config. + ansible.builtin.include_role: + name: debian/apt_unattended_upgrades + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable + +- name: Ensure MySQL is installed. ansible.builtin.apt: - pkg: "mysql-server" + pkg: mysql-server state: present update_cache: true @@ -53,7 +67,7 @@ # - blackfire.overrides is defined # - blackfire.overrides | length > 0 -- name: Restart mysql. +- name: Restart MySQL. ansible.builtin.service: name: mysql state: restarted @@ -69,14 +83,14 @@ mysql -NBe 'GRANT ALL ON *.* TO "ce-dev"@"%" IDENTIFIED BY "ce-dev" WITH GRANT OPTION;' when: is_local is defined and is_local -- name: Ensure mysql can write data. +- name: Ensure MySQL can write data. ansible.builtin.file: path: /var/lib/mysql owner: mysql group: mysql recurse: true -- name: Ensure mysql can write PID/lock. +- name: Ensure MySQL can write PID/lock. ansible.builtin.file: path: /var/run/mysqld owner: mysql diff --git a/roles/debian/nodejs/README.md b/roles/debian/nodejs/README.md index e1fbf2181..1931faa13 100644 --- a/roles/debian/nodejs/README.md +++ b/roles/debian/nodejs/README.md @@ -9,7 +9,9 @@ Installs NodeJS from official repos. nodejs: # Used by apt_unattended_upgrades apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo + apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ npm_packages: [] #npm_packages: diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index 2384ee932..c2103ced1 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -2,7 +2,9 @@ nodejs: # Used by apt_unattended_upgrades apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo + apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ npm_packages: [] #npm_packages: diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 9cbf93d18..1262961c3 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -1,28 +1,42 @@ --- -- name: Add repository key for NodeJS repository. - ansible.builtin.apt_key: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - state: present - -- name: Add repository for NodeJS. - ansible.builtin.apt_repository: - repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {{ ansible_distribution_release }} main" - state: present - -- name: Add source repository for NodeJS. - ansible.builtin.apt_repository: - repo: "deb-src https://deb.nodesource.com/node_{{ nodejs.version }} {{ ansible_distribution_release }} main" - state: present - -- name: Add repository key for Yarn repository. - ansible.builtin.apt_key: - url: https://dl.yarnpkg.com/debian/pubkey.gpg - state: present +- name: Add NodeJS repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {{ ansible_distribution_release }} main" + name: nodejs + types: + - deb + - deb-src + uris: + - "https://deb.nodesource.com/node_{{ nodejs.version }}" + signed_by: "{{ nodejs.apt_signed_by_nodejs }}" + suites: "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:15:00" -- name: Add repository for Yarn. - ansible.builtin.apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" - state: present +- name: Add Yarn repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://dl.yarnpkg.com/debian/ stable main" + name: nodejs_yarn + types: + - deb + uris: + - https://dl.yarnpkg.com/debian/ + signed_by: "{{ nodejs.apt_signed_by_yarn }}" + suites: stable + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:25:00" - name: Pin Node packages. ansible.builtin.template: @@ -36,12 +50,16 @@ - name: Add nodejs and yarn repositories to unattended-upgrades origins list. ansible.builtin.set_fact: _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ nodejs.apt_origin_nodejs, nodejs.apt_origin_yarn ] }}" - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Install the unattended-upgrades config. ansible.builtin.include_role: name: debian/apt_unattended_upgrades - when: apt_unattended_upgrades.enable + when: + - apt_unattended_upgrades.enable is defined + - apt_unattended_upgrades.enable - name: Ensure NodeJS and Yarn are installed. ansible.builtin.apt: diff --git a/roles/debian/openjdk/defaults/main.yml b/roles/debian/openjdk/defaults/main.yml index 6731da244..d54abff90 100644 --- a/roles/debian/openjdk/defaults/main.yml +++ b/roles/debian/openjdk/defaults/main.yml @@ -1,3 +1,3 @@ --- openjdk: - version: 11 # 11 is current version in bullseye - 17 in sid + version: 17 # 17 is current version in bookworm and also available in bullseye - 11 also in bullseye diff --git a/roles/debian/ossec/README.md b/roles/debian/ossec/README.md deleted file mode 100644 index 30d418e5d..000000000 --- a/roles/debian/ossec/README.md +++ /dev/null @@ -1,174 +0,0 @@ -# OSSEC -The ossec role is used to install ossec server or client. - - - - -## Default variables -```yaml ---- -# defaults file for ossec - -ossec: - client: true - serverip: "123.123.123.123" - #auth_password should be 32 chars, lowercase letters and numbers, no symbols - auth_password: "xxx" - - global: - email_notification: "yes" - email_to: "admin@example.com" - smtp_server: "mail.google.com" - email_from: "admin@example.com" - white_list: - - "8.8.8.8" - - "4.4.4.4" - alerts: - log_alert_level: 1 - email_alert_level: 7 - - email_alerts: - email_to: "admin@example.com" - level: 14 - - ssl: - domain: "ossec.example.com" - handling: "selfsigned" - replace_existing: false - - syscheck: - frequency: 79200 - directories: - - /etc - - /usr/bin - - /usr/sbin - - /bin - - /sbin - ignore: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - - /etc/puppet - - /etc/resolv.conf - - /etc/hybserv - - rootcheck: - disabled: "no" - rootkit_files: - - /var/ossec/etc/shared/rootkit_files.txt - rootkit_trojans: - - /var/ossec/etc/shared/rootkit_trojans.txt - system_audit: - - /var/ossec/etc/shared/system_audit_rcl.txt - - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - - command: - - name: "firewall-drop" - executable: "firewall-drop.sh" - expect: "srcip" - timeout_allowed: "yes" - - activeresponse: - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" - repeated_offenders: "30,60,120" - timeout: "600" - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "100205" - repeated_offenders: "30,60,120" - timeout: "3600" - - remote: - connection: - - syslog - - secure - - localfile: - - { log_format: "syslog", location: "/var/log/messages" } - - { log_format: "syslog", location: "/var/log/auth.log" } - - { log_format: "syslog", location: "/var/log/syslog" } - - { log_format: "syslog", location: "/var/log/mail.info" } - - { log_format: "syslog", location: "/var/log/dpkg.log" } - - rules: - - rules_config.xml - - pam_rules.xml - - sshd_rules.xml - - telnetd_rules.xml - - syslog_rules.xml - - arpwatch_rules.xml - - symantec-av_rules.xml - - symantec-ws_rules.xml - - pix_rules.xml - - named_rules.xml - - smbd_rules.xml - - vsftpd_rules.xml - - proftpd_rules.xml - - ms_ftpd_rules.xml - - ftpd_rules.xml - - hordeimp_rules.xml - - roundcube_rules.xml - - wordpress_rules.xml - - cimserver_rules.xml - - vpopmail_rules.xml - - vmpop3d_rules.xml - - courier_rules.xml - - web_rules.xml - - web_appsec_rules.xml - - apache_rules.xml - - nginx_rules.xml - - php_rules.xml - - mysql_rules.xml - - postgresql_rules.xml - - ids_rules.xml - - squid_rules.xml - - firewall_rules.xml - - cisco-ios_rules.xml - - netscreenfw_rules.xml - - sonicwall_rules.xml - - postfix_rules.xml - - sendmail_rules.xml - - imapd_rules.xml - - mailscanner_rules.xml - - dovecot_rules.xml - - ms-exchange_rules.xml - - racoon_rules.xml - - vpn_concentrator_rules.xml - - spamd_rules.xml - - msauth_rules.xml - - mcafee_av_rules.xml - - trend-osce_rules.xml - - ms-se_rules.xml - - zeus_rules.xml - - solaris_bsm_rules.xml - - vmware_rules.xml - - ms_dhcp_rules.xml - - asterisk_rules.xml - - ossec_rules.xml - - attack_rules.xml - - openbsd_rules.xml - - clam_av_rules.xml - - dropbear_rules.xml - # - customer1_rules.xml - # - customer2_rules.xml - # - customerN_rules.xml - - local_rules.xml - -``` - - diff --git a/roles/debian/ossec/defaults/main.yml b/roles/debian/ossec/defaults/main.yml deleted file mode 100644 index 5c8c681c8..000000000 --- a/roles/debian/ossec/defaults/main.yml +++ /dev/null @@ -1,162 +0,0 @@ ---- -# defaults file for ossec - -ossec: - client: true - serverip: "123.123.123.123" - #auth_password should be 32 chars, lowercase letters and numbers, no symbols - auth_password: "xxx" - - global: - email_notification: "yes" - email_to: "admin@example.com" - smtp_server: "mail.google.com" - email_from: "admin@example.com" - white_list: - - "8.8.8.8" - - "4.4.4.4" - alerts: - log_alert_level: 1 - email_alert_level: 7 - - email_alerts: - email_to: "admin@example.com" - level: 14 - - ssl: - domain: "ossec.example.com" - handling: "selfsigned" - replace_existing: false - - syscheck: - frequency: 79200 - directories: - - /etc - - /usr/bin - - /usr/sbin - - /bin - - /sbin - ignore: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - - /etc/puppet - - /etc/resolv.conf - - /etc/hybserv - - rootcheck: - disabled: "no" - rootkit_files: - - /var/ossec/etc/shared/rootkit_files.txt - rootkit_trojans: - - /var/ossec/etc/shared/rootkit_trojans.txt - system_audit: - - /var/ossec/etc/shared/system_audit_rcl.txt - - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - - command: - - name: "firewall-drop" - executable: "firewall-drop.sh" - expect: "srcip" - timeout_allowed: "yes" - - activeresponse: - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" - repeated_offenders: "30,60,120" - timeout: "600" - - disabled: "no" - command: "firewall-drop" - location: "all" - rules_id: "100205" - repeated_offenders: "30,60,120" - timeout: "3600" - - remote: - connection: - - syslog - - secure - - localfile: - - { log_format: "syslog", location: "/var/log/messages" } - - { log_format: "syslog", location: "/var/log/auth.log" } - - { log_format: "syslog", location: "/var/log/syslog" } - - { log_format: "syslog", location: "/var/log/mail.info" } - - { log_format: "syslog", location: "/var/log/dpkg.log" } - - rules: - - rules_config.xml - - pam_rules.xml - - sshd_rules.xml - - telnetd_rules.xml - - syslog_rules.xml - - arpwatch_rules.xml - - symantec-av_rules.xml - - symantec-ws_rules.xml - - pix_rules.xml - - named_rules.xml - - smbd_rules.xml - - vsftpd_rules.xml - - proftpd_rules.xml - - ms_ftpd_rules.xml - - ftpd_rules.xml - - hordeimp_rules.xml - - roundcube_rules.xml - - wordpress_rules.xml - - cimserver_rules.xml - - vpopmail_rules.xml - - vmpop3d_rules.xml - - courier_rules.xml - - web_rules.xml - - web_appsec_rules.xml - - apache_rules.xml - - nginx_rules.xml - - php_rules.xml - - mysql_rules.xml - - postgresql_rules.xml - - ids_rules.xml - - squid_rules.xml - - firewall_rules.xml - - cisco-ios_rules.xml - - netscreenfw_rules.xml - - sonicwall_rules.xml - - postfix_rules.xml - - sendmail_rules.xml - - imapd_rules.xml - - mailscanner_rules.xml - - dovecot_rules.xml - - ms-exchange_rules.xml - - racoon_rules.xml - - vpn_concentrator_rules.xml - - spamd_rules.xml - - msauth_rules.xml - - mcafee_av_rules.xml - - trend-osce_rules.xml - - ms-se_rules.xml - - zeus_rules.xml - - solaris_bsm_rules.xml - - vmware_rules.xml - - ms_dhcp_rules.xml - - asterisk_rules.xml - - ossec_rules.xml - - attack_rules.xml - - openbsd_rules.xml - - clam_av_rules.xml - - dropbear_rules.xml - # - customer1_rules.xml - # - customer2_rules.xml - # - customerN_rules.xml - - local_rules.xml diff --git a/roles/debian/ossec/files/local_rules.xml b/roles/debian/ossec/files/local_rules.xml deleted file mode 100644 index 82cdd5363..000000000 --- a/roles/debian/ossec/files/local_rules.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - - - - - 5711 - 192.0.2.1 - Example of rule that will ignore sshd - failed logins from IP 1.1.1.1. - - - - - - - - - - - - - - diff --git a/roles/debian/ossec/files/ossec-client-logrotate b/roles/debian/ossec/files/ossec-client-logrotate deleted file mode 100644 index a84f71f3e..000000000 --- a/roles/debian/ossec/files/ossec-client-logrotate +++ /dev/null @@ -1,10 +0,0 @@ -/var/ossec/logs/active-responses.log { - daily - rotate 7 - compress - missingok - notifempty - copytruncate - su root ossec - create 660 ossec ossec -} \ No newline at end of file diff --git a/roles/debian/ossec/handlers/main.yml b/roles/debian/ossec/handlers/main.yml deleted file mode 100644 index ab2aadc9f..000000000 --- a/roles/debian/ossec/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# handlers file for ossec - -- name: Restart OSSEC. - ansible.builtin.service: - name: "ossec" - state: restarted - -- name: Stop ossec-authd. - failed_when: false - ansible.builtin.command: "pkill ossec-authd" - -- name: Start ossec-authd. - ansible.builtin.command: "/var/ossec/bin/ossec-authd -k {{ ssl_facts[ossec.ssl.domain].key }} -x {{ ssl_facts[ossec.ssl.domain].certificate }}" diff --git a/roles/debian/ossec/tasks/main.yml b/roles/debian/ossec/tasks/main.yml deleted file mode 100644 index 00ff77f0b..000000000 --- a/roles/debian/ossec/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# tasks file for ossec - -- name: Add repository key for OSSEC. - ansible.builtin.apt_key: - url: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt - state: present - -- name: Add repository for OSSEC. - ansible.builtin.apt_repository: - repo: "deb https://updates.atomicorp.com/channels/atomic/debian {{ ansible_distribution_release }} main" - state: present - -- name: Install OSSEC Server - ansible.builtin.include_tasks: ossec-server.yml - when: not ossec.client - -- name: Install OSSEC Client - ansible.builtin.include_tasks: ossec-client.yml - when: ossec.client - -- name: Copy OSSEC configuration - ansible.builtin.template: - src: ossec.conf.j2 - dest: "/var/ossec/etc/ossec.conf" - owner: root - group: ossec - mode: "0440" - notify: Restart OSSEC. diff --git a/roles/debian/ossec/tasks/ossec-client.yml b/roles/debian/ossec/tasks/ossec-client.yml deleted file mode 100644 index 02d5806f3..000000000 --- a/roles/debian/ossec/tasks/ossec-client.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# tasks file for ossec-client - -- name: Ensure OSSEC is installed. - ansible.builtin.apt: - pkg: ["ossec-hids-agent"] - state: present - update_cache: true - -- name: Set logrotate file - ansible.builtin.copy: - src: "ossec-client-logrotate" - dest: "/etc/logrotate.d/ossec-client" - owner: root - group: root - mode: "0644" - -- name: Copy OSSEC authentication password. - ansible.builtin.template: - src: authd.pass.j2 - dest: "/var/ossec/etc/authd.pass" - owner: root - group: ossec - mode: "0440" - -- name: Register client against OSSEC server. - ansible.builtin.command: "/var/ossec/bin/agent-auth -m {{ ossec.serverip }} -P /var/ossec/etc/authd.pass" \ No newline at end of file diff --git a/roles/debian/ossec/tasks/ossec-server.yml b/roles/debian/ossec/tasks/ossec-server.yml deleted file mode 100644 index b518ae2a7..000000000 --- a/roles/debian/ossec/tasks/ossec-server.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# tasks file for ossec-server - -- name: Ensure OSSEC is installed. - ansible.builtin.apt: - pkg: ["ossec-hids-server"] - state: present - update_cache: true - -# systemd timer that starts the ossec-watchdog 1 minute after server start up -- name: Set ossec-watchdog systemd timer. - ansible.builtin.include_role: - name: contrib/systemd_timers - vars: - timers: - ossec_watchdog: - timer_command: "nohup /usr/local/bin/ossec-watchdog > /tmp/ossec-watchdog.log" - timer_OnStartupSec: 1m - -- name: Set ossec-watchdog script. - ansible.builtin.template: - src: "ossec_watchdog.j2" - dest: "/usr/local/bin/ossec-watchdog" - owner: root - group: root - mode: "0755" - -- name: Copy OSSEC rules. - ansible.builtin.copy: - src: "{{ item }}" - dest: "/var/ossec/rules/" - owner: root - group: ossec - mode: "0550" - with_fileglob: "*_rules.xml" - notify: Restart OSSEC. - -- name: Copy OSSEC authentication password. - ansible.builtin.template: - src: authd.pass.j2 - dest: "/var/ossec/etc/authd.pass" - owner: root - group: ossec - mode: "0440" - notify: - - Stop ossec-authd. - - Start ossec-authd. - -- name: Generates SSL keys. - ansible.builtin.include_role: - name: debian/ssl - vars: - ssl: "{{ ossec.ssl }}" - -- name: Start ossec-authd. - ansible.builtin.command: "/var/ossec/bin/ossec-authd -k {{ ssl_facts[ossec.ssl.domain].key }} -x {{ ssl_facts[ossec.ssl.domain].certificate }}" diff --git a/roles/debian/ossec/templates/authd.pass.j2 b/roles/debian/ossec/templates/authd.pass.j2 deleted file mode 100644 index 8b00576b8..000000000 --- a/roles/debian/ossec/templates/authd.pass.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ ossec.auth_password }} diff --git a/roles/debian/ossec/templates/ossec.conf.j2 b/roles/debian/ossec/templates/ossec.conf.j2 deleted file mode 100644 index 15dde4f05..000000000 --- a/roles/debian/ossec/templates/ossec.conf.j2 +++ /dev/null @@ -1,106 +0,0 @@ - -{% if ossec.client %} - - {{ ossec.serverip }} - - -{% endif %} - -{% if not ossec.client %} - {{ ossec.global.email_notification }} - {{ ossec.global.email_to }} - {{ ossec.global.smtp_server }} - {{ ossec.global.email_from }} -{% endif %} - 127.0.0.1 - ^localhost.localdomain$ -{% for item in ossec.global.white_list %} - {{ item }} -{% endfor %} - - -{% if not ossec.client %} - - {{ ossec.email_alerts.email_to }} - {{ ossec.email_alerts.level }} - - - -{% endif %} - - - {{ ossec.syscheck.frequency }} -{% for item in ossec.syscheck.directories %} - {{ item }} -{% endfor %} -{% for item in ossec.syscheck.ignore %} - {{ item }} -{% endfor %} - - - - {{ ossec.rootcheck.disabled }} -{% for item in ossec.rootcheck.rootkit_files %} - {{ item }} -{% endfor %} -{% for item in ossec.rootcheck.rootkit_trojans %} - {{ item }} -{% endfor %} -{% for item in ossec.rootcheck.system_audit %} - {{ item }} -{% endfor %} - - -{% for item in ossec.command %} - - {{ item.name }} - {{item.executable}} - {{item.expect}} - {{item.timeout_allowed}} - -{% endfor %} - -{% if not ossec.activeresponse|length %} - - no -{% else %} -{% for item in ossec.activeresponse %} - - {{ item.disabled }} - {{ item.command }} - {{ item.location }} - {{ item.rules_id }} - {{ item.repeated_offenders }} - {{ item.timeout }} - -{% endfor %} -{% endif %} - -{% if not ossec.client %} -{% for item in ossec.remote.connection %} - - {{ item }} - -{% endfor %} - - - {{ ossec.alerts.log_alert_level }} - {{ ossec.alerts.email_alert_level }} - -{% endif %} - -{% for item in ossec.localfile %} - - {{ item.log_format }} - {{ item.location }} - - -{% endfor %} -{% if not ossec.client %} - -{% for item in ossec.rules %} - {{ item }} -{% endfor %} - -{% endif %} - diff --git a/roles/debian/ossec/templates/ossec_watchdog.j2 b/roles/debian/ossec/templates/ossec_watchdog.j2 deleted file mode 100644 index 00239411a..000000000 --- a/roles/debian/ossec/templates/ossec_watchdog.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Basic script to check if ossec is running and if not, start it. -# -check_daemon() { - pgrep -f [o]ssec-syscheckd > /dev/null -} - -while [ 1 ]; do - check_daemon - - # if not found - equals to 1, start it - if [ $? -eq 1 ]; then - /etc/init.d/ossec restart > /dev/null 2>&1 - echo "OSSEC was not running. Restarting" | mail -s "OSSEC restarted on `hostname`" "{{ ossec.global.email_to }}" - fi - sleep 5; -done diff --git a/roles/debian/pam_linotp/README.md b/roles/debian/pam_linotp/README.md new file mode 100644 index 000000000..a041b09e5 --- /dev/null +++ b/roles/debian/pam_linotp/README.md @@ -0,0 +1,19 @@ +# PAM LinOTP +Authentication module for integrating PAM logins with LinOTP second factor of authentication. We package this from source ourselves, as [LinOTP provide the source code on GitHub](https://github.com/LinOTP/linotp-auth-pam) but no APT package. + + +## Default variables +```yaml +--- +pam_linotp: + apt_signed_by: https://packages.codeenigma.net/debian/codeenigma.pub + # LinOTP endpoint. + endpoint: "" + # PAM policies. + su: true + sudo: true + ssh: true + +``` + + diff --git a/roles/debian/pam_linotp/defaults/main.yml b/roles/debian/pam_linotp/defaults/main.yml index a918348a3..45ef92775 100644 --- a/roles/debian/pam_linotp/defaults/main.yml +++ b/roles/debian/pam_linotp/defaults/main.yml @@ -1,5 +1,6 @@ --- pam_linotp: + apt_signed_by: https://packages.codeenigma.net/debian/codeenigma.pub # LinOTP endpoint. endpoint: "" # PAM policies. diff --git a/roles/debian/pam_linotp/tasks/main.yml b/roles/debian/pam_linotp/tasks/main.yml index d7fe822a2..21ce14fd8 100644 --- a/roles/debian/pam_linotp/tasks/main.yml +++ b/roles/debian/pam_linotp/tasks/main.yml @@ -1,14 +1,24 @@ --- -- name: Add key for LinOTP repository. - ansible.builtin.apt_key: - keyserver: https://packages.codeenigma.net/debian/codeenigma.pub - id: 77AFCA1C45124FBB2EFCD7267DC594C08E0497D4 - state: present +- name: Add Code Enigma repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://packages.codeenigma.net/debian {{ ansible_distribution_release }} main" + name: ce + types: + - deb + uris: + - https://packages.codeenigma.net/debian + signed_by: "{{ pam_linotp.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 00:45:00" -- name: Add repository for LinOTP. - ansible.builtin.apt_repository: - repo: "deb https://packages.codeenigma.net/debian {{ ansible_distribution_release }} main" - state: present +# @TODO add to unattended-upgrades - might not be necessary, as we rarely package new releases? - name: Ensure libpam-linotp is installed. ansible.builtin.apt: diff --git a/roles/debian/php-common/README.md b/roles/debian/php-common/README.md index a0c7a71e3..a89a082c0 100644 --- a/roles/debian/php-common/README.md +++ b/roles/debian/php-common/README.md @@ -12,6 +12,7 @@ Installs and configures PHP core and required components. php: version: - 8.1 # see https://www.php.net/supported-versions.php + apt_signed_by: https://packages.sury.org/php/apt.gpg apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades ``` diff --git a/roles/debian/php-common/defaults/main.yml b/roles/debian/php-common/defaults/main.yml index 39e56ebe3..bcf3a3908 100644 --- a/roles/debian/php-common/defaults/main.yml +++ b/roles/debian/php-common/defaults/main.yml @@ -2,4 +2,5 @@ php: version: - 8.1 # see https://www.php.net/supported-versions.php + apt_signed_by: https://packages.sury.org/php/apt.gpg apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index 08d2a3755..f702cfc7c 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -1,16 +1,22 @@ --- -- name: Add Sury repository key for PHP. - ansible.builtin.apt_key: - url: https://packages.sury.org/php/apt.gpg - state: "{{ item }}" - with_items: - - absent - - present - -- name: Add Sury repository. - ansible.builtin.apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" - state: present +- name: Add Sury repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + name: sury + types: + - deb + uris: + - https://packages.sury.org/php/ + signed_by: "{{ php.apt_signed_by }}" + suites: "{{ ansible_distribution_release }}" + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 01:00:00" - name: Pin Sury packages. ansible.builtin.template: diff --git a/roles/debian/php_blackfire/defaults/main.yml b/roles/debian/php_blackfire/defaults/main.yml index 1444bded9..323e94a55 100644 --- a/roles/debian/php_blackfire/defaults/main.yml +++ b/roles/debian/php_blackfire/defaults/main.yml @@ -1,5 +1,6 @@ --- blackfire: + apt_signed_by: https://packages.blackfire.io/gpg.key enable: false agent_server_id: "" agent_server_token: "" diff --git a/roles/debian/php_blackfire/tasks/main.yml b/roles/debian/php_blackfire/tasks/main.yml index 08c80296b..2cdc85896 100644 --- a/roles/debian/php_blackfire/tasks/main.yml +++ b/roles/debian/php_blackfire/tasks/main.yml @@ -19,16 +19,24 @@ state: absent when: not blackfire.enable -- name: Add key for Blackfire repository. - ansible.builtin.apt_key: - url: https://packages.blackfire.io/gpg.key - state: present - when: blackfire.enable - -- name: Add repository for Blackfire. - ansible.builtin.apt_repository: - repo: "deb http://packages.blackfire.io/debian any main" - state: present +- name: Add Blackfire repository and key. + ansible.builtin.include_role: + name: debian/apt_repository + vars: + apt_repository: + legacy_repo: "deb http://packages.blackfire.io/debian any main" + name: blackfire + types: + - deb + uris: + - http://packages.blackfire.io/debian + signed_by: "{{ blackfire.apt_signed_by }}" + suites: any + components: + - main + state: present + enabled: true + key_refresh_timer_OnCalendar: "Mon *-*-* 01:05:00" when: blackfire.enable - name: Ensure Blackfire agent is installed. diff --git a/roles/debian/python_common/README.md b/roles/debian/python_common/README.md index 94573f816..c2c5f9178 100644 --- a/roles/debian/python_common/README.md +++ b/roles/debian/python_common/README.md @@ -19,8 +19,10 @@ python_common: # Commonly required Python system packages install_packages: - python3-distutils + - python3-debian - python3-venv - cloud-init # package can get removed with python3-yaml but we need it for auto-scale + ``` diff --git a/roles/debian/python_common/defaults/main.yml b/roles/debian/python_common/defaults/main.yml index 1d8d7bf42..e181f5825 100644 --- a/roles/debian/python_common/defaults/main.yml +++ b/roles/debian/python_common/defaults/main.yml @@ -10,5 +10,6 @@ python_common: # Commonly required Python system packages install_packages: - python3-distutils + - python3-debian - python3-venv - - cloud-init # package can get removed with python3-yaml but we need it for auto-scale \ No newline at end of file + - cloud-init # package can get removed with python3-yaml but we need it for auto-scale From ffdb991c754d551ef0cef29c968139cc8bbed6c4 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 8 May 2024 11:50:28 +0300 Subject: [PATCH 120/331] required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template --- .../aws_ec2_autoscale_cluster/defaults/main.yml | 14 +++++++------- roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 5d77ce7c1..03e99461c 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -159,10 +159,10 @@ aws_ec2_autoscale_cluster: region: "{{ _aws_region }}" # Associated RDS instance. rds: - rds: false # wether to create an instance. + rds: false # whether to create an instance. db_instance_class: db.t3.medium - name: "{{ aws_ec2_autoscale_cluster.name }}" - description: "{{ aws_ec2_autoscale_cluster.name }}" + # name: example # Default is cluster name. + # description: example # Default is cluster name. multi_az: true publicly_accessible: false # Wether to allocate an IP address. engine: mariadb @@ -171,12 +171,12 @@ aws_ec2_autoscale_cluster: aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. aurora_reader: false # If true, an Aurora reader instance will be created. aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. - db_cluster_identifier: "{{ aws_ec2_autoscale_cluster.name }}" + # db_cluster_identifier: example # Default is cluster name. # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html - # db_parameter_group_name: "example" # Omit to use default - # db_parameter_group_description: "Custom parameter group" # Description of parameter group + # db_parameter_group_name: "example" # Omit to use default. + # db_parameter_group_description: "Custom parameter group" # Description of parameter group. # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' - # db_parameters: {} # dictionary of available parameters + # db_parameters: {} # dictionary of available parameters. # character_set_name: undefined # not required. The character set to associate with the DB cluster. allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 099620e23..45f0479e9 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -129,15 +129,15 @@ aws_profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" region: "{{ aws_ec2_autoscale_cluster.region }}" db_instance_class: "{{ aws_ec2_autoscale_cluster.rds.db_instance_class }}" - name: "{{ aws_ec2_autoscale_cluster.rds.name }}" - description: "{{ aws_ec2_autoscale_cluster.rds.description }}" + name: "{{ aws_ec2_autoscale_cluster.rds.name | default(aws_ec2_autoscale_cluster.name) }}" + description: "{{ aws_ec2_autoscale_cluster.rds.description | default(aws_ec2_autoscale_cluster.name) }}" multi_az: "{{ aws_ec2_autoscale_cluster.rds.multi_az }}" subnets: "{{ _aws_ec2_autoscale_cluster_subnets_ids }}" security_groups: "{{ aws_ec2_autoscale_cluster.rds_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_name] }}" publicly_accessible: "{{ aws_ec2_autoscale_cluster.rds.publicly_accessible }}" engine: "{{ aws_ec2_autoscale_cluster.rds.engine }}" engine_version: "{{ aws_ec2_autoscale_cluster.rds.engine_version | default(omit) }}" - db_cluster_identifier: "{{ aws_ec2_autoscale_cluster.rds.db_cluster_identifier | default(omit) }}" + db_cluster_identifier: "{{ aws_ec2_autoscale_cluster.rds.db_cluster_identifier | default(aws_ec2_autoscale_cluster.name) }}" aurora_suffix: "{{ aws_ec2_autoscale_cluster.rds.aurora_suffix }}" aurora_reader: false "{{ aws_ec2_autoscale_cluster.rds.aurora_reader }}" aurora_reader_suffix: "{{ aws_ec2_autoscale_cluster.rds.aurora_reader_suffix }}" From 9e856a01f1783dc70207b17f072b270164dc5248 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 8 May 2024 12:17:36 +0300 Subject: [PATCH 121/331] fixing_rds_vars (#1652) --- roles/aws/aws_rds/defaults/main.yml | 2 +- roles/aws/aws_rds/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/aws/aws_rds/defaults/main.yml b/roles/aws/aws_rds/defaults/main.yml index 0649b2478..392647906 100644 --- a/roles/aws/aws_rds/defaults/main.yml +++ b/roles/aws/aws_rds/defaults/main.yml @@ -17,7 +17,7 @@ aws_rds: aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. aurora_reader: false # If true, an Aurora reader instance will be created. aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. - db_cluster_identifier: "{{ aws_rds.name }}" + # db_cluster_identifier: example # Default is RDS name. # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html # db_parameter_group_name: "example" # Omit to use default. # db_parameter_group_description: "Custom parameter group" # Description of parameter group. diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 3fdeb1772..bac008c02 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -27,7 +27,7 @@ amazon.aws.rds_instance: db_instance_identifier: "{{ aws_rds.name }}-{{ aws_rds.aurora_suffix }}" db_instance_class: "{{ aws_rds.db_instance_class }}" - db_cluster_identifier: "{{ aws_rds.db_cluster_identifier }}" + db_cluster_identifier: "{{ aws_rds.db_cluster_identifier | default(aws_rds.name) }}" db_parameter_group_name: "{{ aws_rds.db_parameter_group_name | default(omit) }}" state: "{{ aws_rds.state }}" engine: "{{ aws_rds.engine }}" @@ -46,7 +46,7 @@ - name: Create Aurora RDS reader instance. amazon.aws.rds_instance: db_instance_identifier: "{{ aws_rds.name }}-{{ aws_rds.aurora_reader_suffix }}" - db_cluster_identifier: "{{ aws_rds.db_cluster_identifier }}" + db_cluster_identifier: "{{ aws_rds.db_cluster_identifier | default(aws_rds.name) }}" db_instance_class: "{{ aws_rds.db_instance_class }}" db_parameter_group_name: "{{ aws_rds.db_parameter_group_name | default(omit) }}" state: "{{ aws_rds.state }}" From 6135c887fb3fb92879fccf31f758892aa7192739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 8 May 2024 12:00:02 +0200 Subject: [PATCH 122/331] Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar --- roles/aws/aws_cloudfront_distribution/tasks/main.yml | 2 +- roles/aws/aws_elb/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 8fae00293..56d51405d 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.include_role: name: aws/aws_acl when: - - aws_acl is defined + - aws_acl.scope is defined - aws_acl.scope == 'CLOUDFRONT' # Creating bucket for CF logging diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 0e3408645..59443e1b3 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -139,7 +139,7 @@ ansible.builtin.include_role: name: aws/aws_acl when: - - aws_acl is defined + - aws_acl.scope is defined - aws_acl.scope == 'REGIONAL' - name: Get ALB listener ARN for port 443. From 2044147832b84769e590a769b2d4782670954665 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 May 2024 17:13:10 +0200 Subject: [PATCH 123/331] Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. --- docs/roles/aws/aws_acl.md | 5 ++- docs/roles/aws/aws_ec2_autoscale_cluster.md | 33 ++++++++++---- docs/roles/aws/aws_rds.md | 45 ++++++++++++------- roles/aws/aws_acl/README.md | 1 + roles/aws/aws_ec2_autoscale_cluster/README.md | 33 ++++++++++---- roles/aws/aws_rds/README.md | 45 ++++++++++++------- roles/debian/apt_repository/tasks/main.yml | 9 ++-- roles/debian/docker_ce/tasks/main.yml | 1 + roles/debian/gitlab/tasks/main.yml | 1 + roles/debian/gitlab_runner/tasks/main.yml | 1 + roles/debian/lhci/tasks/main.yml | 1 + .../mysql_server_oracle_ce/tasks/main.yml | 1 + roles/debian/nodejs/tasks/main.yml | 2 + roles/debian/pam_linotp/tasks/main.yml | 1 + roles/debian/php-common/tasks/main.yml | 1 + roles/debian/php_blackfire/tasks/main.yml | 1 + 16 files changed, 126 insertions(+), 55 deletions(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index e61200e38..2022797f8 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -12,9 +12,11 @@ rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many aws_acl: name: example_master_acl scope: CLOUDFRONT # Can be REGIONAL for ALBs - region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped tags: {} + botControl: true + inspection: "COMMON" # or set to TARGETED inspection level + ip_allow: name: "Allowed-ips" list: [] @@ -34,6 +36,7 @@ aws_acl: #- CN # China #- IR # Iran #- SA # Saudi Arabia + ``` diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 4f3b75255..6278a17d0 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -178,22 +178,39 @@ aws_ec2_autoscale_cluster: region: "{{ _aws_region }}" # Associated RDS instance. rds: - rds: false # wether to create an instance. + rds: false # whether to create an instance. db_instance_class: db.t3.medium - #db_cluster_identifier: example-aurora-cluster + # name: example # Default is cluster name. + # description: example # Default is cluster name. + multi_az: true + publicly_accessible: false # Wether to allocate an IP address. engine: mariadb - aurora_reader: false - #engine_version: 5.7.9 - # db_parameter_group_name: "example" # Omit to use default - # db_parameter_group_description: "Custom parameter group" # Description of parameter group + # engine_version: '5.7.2' # Omit to use latest. + # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green'. + aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. + aurora_reader: false # If true, an Aurora reader instance will be created. + aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. + # db_cluster_identifier: example # Default is cluster name. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default. + # db_parameter_group_description: "Custom parameter group" # Description of parameter group. # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' - # db_parameters: {} # dictionary of available parameters + # db_parameters: {} # dictionary of available parameters. + # character_set_name: undefined # not required. The character set to associate with the DB cluster. allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. + # storage_type: standard # not required. choices: standard;gp2;gp3;io1. I(storage_type) does not apply to Aurora DB instances. + # storage_throughput: 125 # required if storage_type is "gp3". For <400Gb storage it's limited to 125Mbs. Requires botocore >= 1.29.0 master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere - multi_az: true + # force_update_password: true # not required. Set to True to update your cluster password with I(master_user_password). + # enable_performance_insights: undefined # not required. Whether to enable Performance Insights for the DB instance. + # preferred_backup_window: undefined # not required. The daily time range (in UTC) of at least 30 minutes, during which automated backups are created if automated backups are enabled using I(backup_retention_period). The option must be in the format of "hh24:mi-hh24:mi" and not conflict with I(preferred_maintenance_window). + copy_tags_to_snapshot: true + # preferred_maintenance_window: undefined # not required. The weekly time range (in UTC) of at least 30 minutes, during which system maintenance can occur. Sample: "sun:09:31-sun:10:01". + allow_major_version_upgrade: false + # auto_minor_version_upgrade: undefined # not required. Whether minor version upgrades are applied automatically to the DB instance during the maintenance window. rds_cloudwatch_alarms: - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md index 58ee11261..c77337bfe 100644 --- a/docs/roles/aws/aws_rds.md +++ b/docs/roles/aws/aws_rds.md @@ -18,34 +18,45 @@ You'll need to have created the subnet group first as well as the security group aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + db_instance_class: db.t3.medium + name: example + description: example multi_az: true - # You must provide at least two subnets in two different AZs, even for single AZ deployments. + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb - name: example - tags: {} - db_instance_class: db.t3.medium - state: present - description: example + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role. + publicly_accessible: false # Wether to allocate an IP address. engine: mariadb - # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green' - aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance - aurora_reader: false # If true, an Aurora reader instance will be created. - aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix # engine_version: '5.7.2' # Omit to use latest. - # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html - # db_parameter_group_name: "example" # Omit to use default - # db_parameter_group_description: "Custom parameter group" # Description of parameter group - # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' - # db_parameters: {} # dictionary of available parameters + # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green'. + aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. + aurora_reader: false # If true, an Aurora reader instance will be created. + aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. + # db_cluster_identifier: example # Default is RDS name. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default. + # db_parameter_group_description: "Custom parameter group" # Description of parameter group. + # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine'. + # db_parameters: {} # dictionary of available parameters. + # character_set_name: undefined # not required. The character set to associate with the DB cluster. allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. + # storage_type: standard # not required. choices: standard;gp2;gp3;io1. I(storage_type) does not apply to Aurora DB instances. + # storage_throughput: 125 # required if storage_type is "gp3". For <400Gb storage it's limited to 125Mbs. Requires botocore >= 1.29.0 master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere - publicly_accessible: false # Wether to allocate an IP address - security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + force_update_password: true # not required. Set to True to update your cluster password with I(master_user_password). + # enable_performance_insights: undefined # not required. Whether to enable Performance Insights for the DB instance. + # preferred_backup_window: undefined # not required. The daily time range (in UTC) of at least 30 minutes, during which automated backups are created if automated backups are enabled using I(backup_retention_period). The option must be in the format of "hh24:mi-hh24:mi" and not conflict with I(preferred_maintenance_window). + copy_tags_to_snapshot: true + # preferred_maintenance_window: undefined # not required. The weekly time range (in UTC) of at least 30 minutes, during which system maintenance can occur. Sample: "sun:09:31-sun:10:01". + allow_major_version_upgrade: false + # auto_minor_version_upgrade: undefined # not required. Whether minor version upgrades are applied automatically to the DB instance during the maintenance window. + tags: {} + state: present rds_cloudwatch_alarms: # name will have the RDS identifier prepended. - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 65b4ba7fb..2022797f8 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -36,6 +36,7 @@ aws_acl: #- CN # China #- IR # Iran #- SA # Saudi Arabia + ``` diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 4f3b75255..6278a17d0 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -178,22 +178,39 @@ aws_ec2_autoscale_cluster: region: "{{ _aws_region }}" # Associated RDS instance. rds: - rds: false # wether to create an instance. + rds: false # whether to create an instance. db_instance_class: db.t3.medium - #db_cluster_identifier: example-aurora-cluster + # name: example # Default is cluster name. + # description: example # Default is cluster name. + multi_az: true + publicly_accessible: false # Wether to allocate an IP address. engine: mariadb - aurora_reader: false - #engine_version: 5.7.9 - # db_parameter_group_name: "example" # Omit to use default - # db_parameter_group_description: "Custom parameter group" # Description of parameter group + # engine_version: '5.7.2' # Omit to use latest. + # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green'. + aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. + aurora_reader: false # If true, an Aurora reader instance will be created. + aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. + # db_cluster_identifier: example # Default is cluster name. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default. + # db_parameter_group_description: "Custom parameter group" # Description of parameter group. # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' - # db_parameters: {} # dictionary of available parameters + # db_parameters: {} # dictionary of available parameters. + # character_set_name: undefined # not required. The character set to associate with the DB cluster. allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. + # storage_type: standard # not required. choices: standard;gp2;gp3;io1. I(storage_type) does not apply to Aurora DB instances. + # storage_throughput: 125 # required if storage_type is "gp3". For <400Gb storage it's limited to 125Mbs. Requires botocore >= 1.29.0 master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere - multi_az: true + # force_update_password: true # not required. Set to True to update your cluster password with I(master_user_password). + # enable_performance_insights: undefined # not required. Whether to enable Performance Insights for the DB instance. + # preferred_backup_window: undefined # not required. The daily time range (in UTC) of at least 30 minutes, during which automated backups are created if automated backups are enabled using I(backup_retention_period). The option must be in the format of "hh24:mi-hh24:mi" and not conflict with I(preferred_maintenance_window). + copy_tags_to_snapshot: true + # preferred_maintenance_window: undefined # not required. The weekly time range (in UTC) of at least 30 minutes, during which system maintenance can occur. Sample: "sun:09:31-sun:10:01". + allow_major_version_upgrade: false + # auto_minor_version_upgrade: undefined # not required. Whether minor version upgrades are applied automatically to the DB instance during the maintenance window. rds_cloudwatch_alarms: - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/roles/aws/aws_rds/README.md b/roles/aws/aws_rds/README.md index 58ee11261..c77337bfe 100644 --- a/roles/aws/aws_rds/README.md +++ b/roles/aws/aws_rds/README.md @@ -18,34 +18,45 @@ You'll need to have created the subnet group first as well as the security group aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + db_instance_class: db.t3.medium + name: example + description: example multi_az: true - # You must provide at least two subnets in two different AZs, even for single AZ deployments. + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb - name: example - tags: {} - db_instance_class: db.t3.medium - state: present - description: example + security_groups: [] # list of security group names, converted to IDs by aws_security_groups role. + publicly_accessible: false # Wether to allocate an IP address. engine: mariadb - # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green' - aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance - aurora_reader: false # If true, an Aurora reader instance will be created. - aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix # engine_version: '5.7.2' # Omit to use latest. - # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html - # db_parameter_group_name: "example" # Omit to use default - # db_parameter_group_description: "Custom parameter group" # Description of parameter group - # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine' - # db_parameters: {} # dictionary of available parameters + # In an Aurora cluster reader and writer can swap role at any time, so by default we name them 'blue' and 'green'. + aurora_suffix: blue # appended to cluster name to create a unique instance name for the first (initially write) instance. + aurora_reader: false # If true, an Aurora reader instance will be created. + aurora_reader_suffix: green # appended to cluster name to create unique instance name for the second (initially read-only) instance - must not match aurora_suffix. + # db_cluster_identifier: example # Default is RDS name. + # See parameter group docs: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_param_group_module.html + # db_parameter_group_name: "example" # Omit to use default. + # db_parameter_group_description: "Custom parameter group" # Description of parameter group. + # db_parameter_group_engine: "mariadb10.5" # accepts different values to RDS instance 'engine'. + # db_parameters: {} # dictionary of available parameters. + # character_set_name: undefined # not required. The character set to associate with the DB cluster. allocated_storage: 100 # Initial size in GB. Minimum is 100. max_allocated_storage: 1000 # Max size in GB for autoscaling. storage_encrypted: false # Whether to encrypt the RDS instance or not. + # storage_type: standard # not required. choices: standard;gp2;gp3;io1. I(storage_type) does not apply to Aurora DB instances. + # storage_throughput: 125 # required if storage_type is "gp3". For <400Gb storage it's limited to 125Mbs. Requires botocore >= 1.29.0 master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter. master_user_password: hellothere - publicly_accessible: false # Wether to allocate an IP address - security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + force_update_password: true # not required. Set to True to update your cluster password with I(master_user_password). + # enable_performance_insights: undefined # not required. Whether to enable Performance Insights for the DB instance. + # preferred_backup_window: undefined # not required. The daily time range (in UTC) of at least 30 minutes, during which automated backups are created if automated backups are enabled using I(backup_retention_period). The option must be in the format of "hh24:mi-hh24:mi" and not conflict with I(preferred_maintenance_window). + copy_tags_to_snapshot: true + # preferred_maintenance_window: undefined # not required. The weekly time range (in UTC) of at least 30 minutes, during which system maintenance can occur. Sample: "sun:09:31-sun:10:01". + allow_major_version_upgrade: false + # auto_minor_version_upgrade: undefined # not required. Whether minor version upgrades are applied automatically to the DB instance during the maintenance window. + tags: {} + state: present rds_cloudwatch_alarms: # name will have the RDS identifier prepended. - name: "example_free_storage_space_threshold_{{ _env_type }}_asg" description: "Average database free storage space over the last 10 minutes too low." diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index 6300d0e3d..92aa5c410 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -75,14 +75,15 @@ group: root mode: "0755" + - name: Build timers variable. + ansible.builtin.set_fact: + _apt_repo_timer: "{'{{ apt_repository.name }}_apt_key_refresh': { timer_command: '/usr/local/bin/{{ apt_repository.name }}_key_refresh', timer_OnCalendar: '{{ apt_repository.key_refresh_timer_OnCalendar }}' }}" + - name: Set up a systemd timer to refresh APT repository key. ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: - mysql_apt_key_refresh: - timer_command: "/usr/local/bin/{{ apt_repository.name }}_key_refresh" - timer_OnCalendar: "{{ apt_repository.key_refresh_timer_OnCalendar }}" + timers: "{{ _apt_repo_timer }}" - name: Update the APT cache. ansible.builtin.apt: diff --git a/roles/debian/docker_ce/tasks/main.yml b/roles/debian/docker_ce/tasks/main.yml index 4cb727279..c189679a3 100644 --- a/roles/debian/docker_ce/tasks/main.yml +++ b/roles/debian/docker_ce/tasks/main.yml @@ -15,6 +15,7 @@ vars: apt_repository: legacy_repo: "deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + format: deb822 name: docker_ce types: - deb diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index 5bc6c7dec..93efbb545 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -35,6 +35,7 @@ vars: apt_repository: legacy_repo: "deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ {{ ansible_distribution_release }} main" + format: deb822 name: gitlab types: - deb diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index cbae5c255..7c9c28dc7 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -5,6 +5,7 @@ vars: apt_repository: legacy_repo: "deb https://packages.gitlab.com/runner/gitlab-runner/debian/ {{ ansible_distribution_release }} main" + format: deb822 name: gitlab_runner types: - deb diff --git a/roles/debian/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml index c32415e79..a2a24d7f8 100644 --- a/roles/debian/lhci/tasks/main.yml +++ b/roles/debian/lhci/tasks/main.yml @@ -5,6 +5,7 @@ vars: apt_repository: legacy_repo: "deb http://dl.google.com/linux/chrome/deb/ stable main" + format: deb822 name: google_chrome types: - deb diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 956467ae7..72254acca 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -7,6 +7,7 @@ vars: apt_repository: legacy_repo: "deb http://repo.mysql.com/apt/debian/ {{ ansible_distribution_release }} {{ mysql_server.apt_repo_version }}" + format: deb822 name: mysql types: - deb diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 1262961c3..a71b5a6c9 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -5,6 +5,7 @@ vars: apt_repository: legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {{ ansible_distribution_release }} main" + format: deb822 name: nodejs types: - deb @@ -25,6 +26,7 @@ vars: apt_repository: legacy_repo: "deb https://dl.yarnpkg.com/debian/ stable main" + format: deb822 name: nodejs_yarn types: - deb diff --git a/roles/debian/pam_linotp/tasks/main.yml b/roles/debian/pam_linotp/tasks/main.yml index 21ce14fd8..efb6cc253 100644 --- a/roles/debian/pam_linotp/tasks/main.yml +++ b/roles/debian/pam_linotp/tasks/main.yml @@ -5,6 +5,7 @@ vars: apt_repository: legacy_repo: "deb https://packages.codeenigma.net/debian {{ ansible_distribution_release }} main" + format: deb822 name: ce types: - deb diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index f702cfc7c..f26f21bac 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -5,6 +5,7 @@ vars: apt_repository: legacy_repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + format: deb822 name: sury types: - deb diff --git a/roles/debian/php_blackfire/tasks/main.yml b/roles/debian/php_blackfire/tasks/main.yml index 2cdc85896..d7e513f0f 100644 --- a/roles/debian/php_blackfire/tasks/main.yml +++ b/roles/debian/php_blackfire/tasks/main.yml @@ -25,6 +25,7 @@ vars: apt_repository: legacy_repo: "deb http://packages.blackfire.io/debian any main" + format: deb822 name: blackfire types: - deb From f919e256ca7ca1f83f977eaed1630890ce06a4f2 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 May 2024 17:22:58 +0200 Subject: [PATCH 124/331] Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. --- docs/roles/_init.md | 5 +++++ docs/roles/debian/aws_cloudwatch_agent.md | 6 +++--- docs/roles/debian/aws_efs_client.md | 4 ++-- docs/roles/debian/duplicity.md | 2 +- docs/roles/debian/gitlab_runner.md | 4 ++-- roles/_init/README.md | 5 +++++ roles/_init/defaults/main.yml | 5 +++++ roles/debian/aws_cloudwatch_agent/README.md | 6 +++--- roles/debian/aws_cloudwatch_agent/defaults/main.yml | 6 +++--- roles/debian/aws_efs_client/README.md | 4 ++-- roles/debian/aws_efs_client/defaults/main.yml | 4 ++-- roles/debian/duplicity/README.md | 2 +- roles/debian/duplicity/defaults/main.yml | 2 +- roles/debian/gitlab_runner/README.md | 4 ++-- roles/debian/gitlab_runner/defaults/main.yml | 4 ++-- 15 files changed, 39 insertions(+), 24 deletions(-) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 77feacb1f..4abd58990 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -15,6 +15,11 @@ _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" _ce_ansible_timer_name: upgrade_ce_provision_ansible +# AWS variables - if you are using an AWS account, you can preset certain variables +# Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all +#_aws_profile: example # boto profile name +#_aws_region: eu-west-1 + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. diff --git a/docs/roles/debian/aws_cloudwatch_agent.md b/docs/roles/debian/aws_cloudwatch_agent.md index ee37572c7..cdda9f9b5 100644 --- a/docs/roles/debian/aws_cloudwatch_agent.md +++ b/docs/roles/debian/aws_cloudwatch_agent.md @@ -14,9 +14,9 @@ module in your playbooks. --- aws_cloudwatch_agent: # Stream name. - log_stream_name: "example" + log_stream_name: example # Namespace for metrics. Leave empty to use the default CWAgent. - metrics_namespace: "example" + metrics_namespace: example # Group prefix. Useful for grouping by environments. # Eg. instead of "syslog", you can have "dev syslog", "prod syslog", etc. log_group_prefix: "" @@ -26,7 +26,7 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "{{ _aws_region }}" + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set ``` diff --git a/docs/roles/debian/aws_efs_client.md b/docs/roles/debian/aws_efs_client.md index 6d3cd392d..856fe71ca 100644 --- a/docs/roles/debian/aws_efs_client.md +++ b/docs/roles/debian/aws_efs_client.md @@ -44,8 +44,8 @@ In the output of listed file systems, for each one you will find an entry like t _mount_opts: "_netdev,noresvport" # _netdev tells OS to wait for network before attempting to mount _mount_state: present aws_efs_client: - aws_profile: "{{ _aws_profile }}" - region: "{{ _aws_region }}" + aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set version: 1.35.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package diff --git a/docs/roles/debian/duplicity.md b/docs/roles/debian/duplicity.md index 7e4911527..c9140007e 100644 --- a/docs/roles/debian/duplicity.md +++ b/docs/roles/debian/duplicity.md @@ -17,7 +17,7 @@ duplicity: backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" - backend_url: "s3-eu-west-1.amazonaws.com" + backend_url: "s3-eu-west-1.amazonaws.com" # "eu-west-1" can be substituted for "{{ _aws_region }}" if set s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md index 2804320b5..7311c5bf0 100644 --- a/docs/roles/debian/gitlab_runner.md +++ b/docs/roles/debian/gitlab_runner.md @@ -49,8 +49,8 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - profile: "{{ _aws_profile }}" - region: "eu-west-1" # AWS region name + profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest diff --git a/roles/_init/README.md b/roles/_init/README.md index 77feacb1f..4abd58990 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -15,6 +15,11 @@ _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" _ce_ansible_timer_name: upgrade_ce_provision_ansible +# AWS variables - if you are using an AWS account, you can preset certain variables +# Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all +#_aws_profile: example # boto profile name +#_aws_region: eu-west-1 + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index d05a6fc78..5e38419ea 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -5,6 +5,11 @@ _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" _ce_ansible_timer_name: upgrade_ce_provision_ansible +# AWS variables - if you are using an AWS account, you can preset certain variables +# Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all +#_aws_profile: example # boto profile name +#_aws_region: eu-west-1 + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. diff --git a/roles/debian/aws_cloudwatch_agent/README.md b/roles/debian/aws_cloudwatch_agent/README.md index ee37572c7..cdda9f9b5 100644 --- a/roles/debian/aws_cloudwatch_agent/README.md +++ b/roles/debian/aws_cloudwatch_agent/README.md @@ -14,9 +14,9 @@ module in your playbooks. --- aws_cloudwatch_agent: # Stream name. - log_stream_name: "example" + log_stream_name: example # Namespace for metrics. Leave empty to use the default CWAgent. - metrics_namespace: "example" + metrics_namespace: example # Group prefix. Useful for grouping by environments. # Eg. instead of "syslog", you can have "dev syslog", "prod syslog", etc. log_group_prefix: "" @@ -26,7 +26,7 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "{{ _aws_region }}" + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set ``` diff --git a/roles/debian/aws_cloudwatch_agent/defaults/main.yml b/roles/debian/aws_cloudwatch_agent/defaults/main.yml index f73385114..36d3d3751 100644 --- a/roles/debian/aws_cloudwatch_agent/defaults/main.yml +++ b/roles/debian/aws_cloudwatch_agent/defaults/main.yml @@ -1,9 +1,9 @@ --- aws_cloudwatch_agent: # Stream name. - log_stream_name: "example" + log_stream_name: example # Namespace for metrics. Leave empty to use the default CWAgent. - metrics_namespace: "example" + metrics_namespace: example # Group prefix. Useful for grouping by environments. # Eg. instead of "syslog", you can have "dev syslog", "prod syslog", etc. log_group_prefix: "" @@ -13,4 +13,4 @@ aws_cloudwatch_agent: credentials: aws_access_key_id: XXX aws_secret_access_key: XXX - region: "{{ _aws_region }}" + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set diff --git a/roles/debian/aws_efs_client/README.md b/roles/debian/aws_efs_client/README.md index 6d3cd392d..856fe71ca 100644 --- a/roles/debian/aws_efs_client/README.md +++ b/roles/debian/aws_efs_client/README.md @@ -44,8 +44,8 @@ In the output of listed file systems, for each one you will find an entry like t _mount_opts: "_netdev,noresvport" # _netdev tells OS to wait for network before attempting to mount _mount_state: present aws_efs_client: - aws_profile: "{{ _aws_profile }}" - region: "{{ _aws_region }}" + aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set version: 1.35.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package diff --git a/roles/debian/aws_efs_client/defaults/main.yml b/roles/debian/aws_efs_client/defaults/main.yml index ba81a7629..7758d8820 100644 --- a/roles/debian/aws_efs_client/defaults/main.yml +++ b/roles/debian/aws_efs_client/defaults/main.yml @@ -2,8 +2,8 @@ _mount_opts: "_netdev,noresvport" # _netdev tells OS to wait for network before attempting to mount _mount_state: present aws_efs_client: - aws_profile: "{{ _aws_profile }}" - region: "{{ _aws_region }}" + aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set version: 1.35.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package diff --git a/roles/debian/duplicity/README.md b/roles/debian/duplicity/README.md index 7e4911527..c9140007e 100644 --- a/roles/debian/duplicity/README.md +++ b/roles/debian/duplicity/README.md @@ -17,7 +17,7 @@ duplicity: backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" - backend_url: "s3-eu-west-1.amazonaws.com" + backend_url: "s3-eu-west-1.amazonaws.com" # "eu-west-1" can be substituted for "{{ _aws_region }}" if set s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: diff --git a/roles/debian/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml index 6d7a6f3d6..33cecfec2 100644 --- a/roles/debian/duplicity/defaults/main.yml +++ b/roles/debian/duplicity/defaults/main.yml @@ -8,7 +8,7 @@ duplicity: backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" secret_access_key: "somesecret" - backend_url: "s3-eu-west-1.amazonaws.com" + backend_url: "s3-eu-west-1.amazonaws.com" # "eu-west-1" can be substituted for "{{ _aws_region }}" if set s3_options: "--s3-use-glacier-ir" # see the --s3 options in the documentation - https://duplicity.us/stable/duplicity.1.html#options bucketname: "somebucket" dirs: diff --git a/roles/debian/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md index 2804320b5..7311c5bf0 100644 --- a/roles/debian/gitlab_runner/README.md +++ b/roles/debian/gitlab_runner/README.md @@ -49,8 +49,8 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - profile: "{{ _aws_profile }}" - region: "eu-west-1" # AWS region name + profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest diff --git a/roles/debian/gitlab_runner/defaults/main.yml b/roles/debian/gitlab_runner/defaults/main.yml index af891d799..1813aa89b 100644 --- a/roles/debian/gitlab_runner/defaults/main.yml +++ b/roles/debian/gitlab_runner/defaults/main.yml @@ -37,8 +37,8 @@ gitlab_runner: # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs fargate: cluster: "my-cluster" # ECS cluster name - profile: "{{ _aws_profile }}" - region: "eu-west-1" # AWS region name + profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set subnet: "subnet-abcdef123456" # subnet ID security_group: "my-security-group" # SG name task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest From e8d74e5e80bc32a7803d8e3707d3b877cadf67f3 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Mon, 13 May 2024 17:54:53 +0200 Subject: [PATCH 125/331] fix(scripts): Fix git checkout to fetch any new branches (#1655) --- scripts/_common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index da5277ef9..8ab48b9ad 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -205,6 +205,8 @@ ansible_play(){ # @param $1 absolute path to local repo. # @param $2 branch to checkout. git_checkout(){ + # We need to fetch first for new branches. + git -C "$1" fetch origin "$2" git -C "$1" checkout "$2" git -C "$1" pull origin "$2" } From 25baa041dbe3c089455d0012dbeebaff18c6eb72 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 14 May 2024 12:48:55 +0200 Subject: [PATCH 126/331] Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. --- roles/debian/apt_repository/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index 92aa5c410..5d78f0853 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -79,6 +79,10 @@ ansible.builtin.set_fact: _apt_repo_timer: "{'{{ apt_repository.name }}_apt_key_refresh': { timer_command: '/usr/local/bin/{{ apt_repository.name }}_key_refresh', timer_OnCalendar: '{{ apt_repository.key_refresh_timer_OnCalendar }}' }}" + - name: Turn the timer string into a dictionary. + ansible.builtin.set_fact: + _apt_repo_timer: "{{ _apt_repo_timer.splitlines()|map('from_yaml')|list }}" + - name: Set up a systemd timer to refresh APT repository key. ansible.builtin.include_role: name: contrib/systemd_timers From f08fe67676130a0efdf9356297c64f393b3f8927 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 14 May 2024 16:32:07 +0200 Subject: [PATCH 127/331] Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. --- docs/roles/aws/aws_ec2_autoscale_cluster.md | 12 ++++++------ roles/aws/aws_ec2_autoscale_cluster/README.md | 12 ++++++------ .../aws/aws_ec2_autoscale_cluster/defaults/main.yml | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 6278a17d0..ebda2b7a0 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -106,15 +106,15 @@ aws_ec2_autoscale_cluster: - name: "{{ _env_type }}-scale-up-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: 2 + adjustment: 2 # Add two servers per scaling event adjustment_step: 1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 - name: "{{ _env_type }}-scale-down-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: -2 + adjustment: -1 # Reduce by one server at a time adjustment_step: -1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 asg_cloudwatch_alarm_scale_up_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-up" asg_cloudwatch_alarm_scale_down_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-down" asg_cloudwatch_alarms: @@ -126,8 +126,8 @@ aws_ec2_autoscale_cluster: threshold: 80 unit: "Percent" comparison: "GreaterThanOrEqualToThreshold" - period: 120 - evaluation_periods: 5 + period: 30 + evaluation_periods: 3 - scale_direction: "down" description: "CPU under 40% so scale down." metric: "CPUUtilization" diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 6278a17d0..ebda2b7a0 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -106,15 +106,15 @@ aws_ec2_autoscale_cluster: - name: "{{ _env_type }}-scale-up-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: 2 + adjustment: 2 # Add two servers per scaling event adjustment_step: 1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 - name: "{{ _env_type }}-scale-down-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: -2 + adjustment: -1 # Reduce by one server at a time adjustment_step: -1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 asg_cloudwatch_alarm_scale_up_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-up" asg_cloudwatch_alarm_scale_down_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-down" asg_cloudwatch_alarms: @@ -126,8 +126,8 @@ aws_ec2_autoscale_cluster: threshold: 80 unit: "Percent" comparison: "GreaterThanOrEqualToThreshold" - period: 120 - evaluation_periods: 5 + period: 30 + evaluation_periods: 3 - scale_direction: "down" description: "CPU under 40% so scale down." metric: "CPUUtilization" diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 03e99461c..b6aedd0b2 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -87,15 +87,15 @@ aws_ec2_autoscale_cluster: - name: "{{ _env_type }}-scale-up-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: 2 + adjustment: 2 # Add two servers per scaling event adjustment_step: 1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 - name: "{{ _env_type }}-scale-down-policy" policy_type: "SimpleScaling" adjustment_type: "ChangeInCapacity" - adjustment: -2 + adjustment: -1 # Reduce by one server at a time adjustment_step: -1 # Only used when adjustment_type is PercentChangeInCapacity. - cooldown: 300 + cooldown: 120 asg_cloudwatch_alarm_scale_up_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-up" asg_cloudwatch_alarm_scale_down_name: "{{ _env_type }}-cloudwatch-metric-alarm-cpu-scale-down" asg_cloudwatch_alarms: @@ -107,8 +107,8 @@ aws_ec2_autoscale_cluster: threshold: 80 unit: "Percent" comparison: "GreaterThanOrEqualToThreshold" - period: 120 - evaluation_periods: 5 + period: 30 + evaluation_periods: 3 - scale_direction: "down" description: "CPU under 40% so scale down." metric: "CPUUtilization" From f42142f7d35018d6973d22b85773a63bd7c58327 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 14 May 2024 17:39:15 +0200 Subject: [PATCH 128/331] Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. --- docs/roles/debian/clamav.md | 8 ++++---- roles/debian/clamav/README.md | 8 ++++---- roles/debian/clamav/defaults/main.yml | 8 ++++---- roles/debian/clamav/tasks/main.yml | 8 +++++++- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 4529ab043..0a35265c2 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -19,11 +19,11 @@ clamav: - /sys/ scan_location: / log_name: clamav_daily.log - # scheduled scans, set to an empty dictionary for no timers + # scheduled scans, set to an empty list for no timers timers: - clamscan_daily: - timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts - timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + - clamscan_daily: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. log_location: /var/log/clamav send_mail: false # Important: will not send any emails by default. diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 4529ab043..0a35265c2 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -19,11 +19,11 @@ clamav: - /sys/ scan_location: / log_name: clamav_daily.log - # scheduled scans, set to an empty dictionary for no timers + # scheduled scans, set to an empty list for no timers timers: - clamscan_daily: - timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts - timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + - clamscan_daily: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. log_location: /var/log/clamav send_mail: false # Important: will not send any emails by default. diff --git a/roles/debian/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml index 648ddd934..85af99d42 100644 --- a/roles/debian/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -8,11 +8,11 @@ clamav: - /sys/ scan_location: / log_name: clamav_daily.log - # scheduled scans, set to an empty dictionary for no timers + # scheduled scans, set to an empty list for no timers timers: - clamscan_daily: - timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts - timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + - clamscan_daily: + timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts + timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. log_location: /var/log/clamav send_mail: false # Important: will not send any emails by default. diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml index ebf032e74..02e643781 100644 --- a/roles/debian/clamav/tasks/main.yml +++ b/roles/debian/clamav/tasks/main.yml @@ -23,11 +23,17 @@ state: directory mode: '0755' +- name: Build a dictionary of timers for the systemd timers role. + ansible.builtin.set_fact: + _clamav_timers: "{{ _clamav_timers | default({}) | combine( item ) }}" + with_items: "{{ clamav.timers }}" + when: clamav.timers | length > 0 + - name: Set up a ClamAV systemd timers. ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: "{{ clamav.timers }}" + timers: "{{ _clamav_timers }}" when: clamav.timers | length > 0 - name: Install clamdscan. From f93ae3a428ada3478ad9d0f41bcd42cc457edd32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 15 May 2024 11:41:38 +0200 Subject: [PATCH 129/331] Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/README.md | 65 ++++--- roles/aws/aws_acl/defaults/main.yml | 48 ++--- roles/aws/aws_acl/tasks/create_acl.yml | 157 ++++++++++++++++ roles/aws/aws_acl/tasks/main.yml | 172 ++---------------- roles/aws/aws_acl/tasks/set_acl.yml | 14 ++ .../tasks/main.yml | 1 + 6 files changed, 248 insertions(+), 209 deletions(-) create mode 100644 roles/aws/aws_acl/tasks/create_acl.yml create mode 100644 roles/aws/aws_acl/tasks/set_acl.yml diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 2022797f8..1edfba012 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,38 +5,47 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables +## Default variables for creation of ACL (pass it as a list) ```yaml --- -rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking aws_acl: - name: example_master_acl - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} - - botControl: true - inspection: "COMMON" # or set to TARGETED inspection level - - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 - - cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia + - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + acl_rules: + name: example_master_acl # Name of the ACL + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + tags: {} + + botControl: false # Set to true to apply bot control + inspection: "COMMON" # or set to TARGETED inspection level + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia +``` +## Default variables for assigning ACL to CF or ALB +```yaml +--- +aws_acl: + name: example_master_acl # Name of the ACL to apply + scope: CLOUDFRONT # Can be REGIONAL for ALBs ``` diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index d75377a55..00bd71412 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,29 +1,31 @@ --- -rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking aws_acl: - name: example_master_acl - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} + - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + acl_rules: + name: example_master_acl # Name of the ACL + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + tags: {} - botControl: true - inspection: "COMMON" # or set to TARGETED inspection level + botControl: false # Set to true to apply bot control + inspection: "COMMON" # or set to TARGETED inspection level - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 - cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml new file mode 100644 index 000000000..a4c7b86ff --- /dev/null +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -0,0 +1,157 @@ +- name: Define dict for rules. + ansible.builtin.set_fact: + _acl_rules: [] + +- name: Define region if scope is REGIONAL. + ansible.builtin.set_fact: + _acl_region: "{{ _aws_region }}" + when: _acl.acl_rules.scope == "REGIONAL" + +- name: Define region if scope is CLOUDFRONT. + ansible.builtin.set_fact: + _acl_region: "us-east-1" + when: _acl.acl_rules.scope == "CLOUDFRONT" + +- name: Set IP block rule. + when: + - _acl.acl_rules.ip_block is defined + - _acl.acl_rules.ip_block.list | length > 0 + block: + - name: Create IP block set for WAF. + community.aws.wafv2_ip_set: + name: "{{ _acl.acl_rules.ip_block.name }}" + state: present + description: Set of blocked IPs + scope: "{{ _acl.acl_rules.scope }}" + region: "{{ _acl_region }}" + ip_address_version: IPV4 + addresses: "{{ _acl.acl_rules.ip_block.list }}" + register: _ip_set_info + + - name: Create IP block rule. + ansible.builtin.set_fact: + ip_block_rule: + - name: "{{ _acl.acl_rules.ip_block.name }}" + priority: 0 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: Block_IPs + statement: + ip_set_reference_statement: + arn: "{{ _ip_set_info.arn }}" + + - name: Add rule to list. + ansible.builtin.set_fact: + _acl_rules: "{{ _acl_rules + ip_block_rule }}" + +- name: Set IP allow rule. + when: + - _acl.acl_rules.ip_allow is defined + - _acl.acl_rules.ip_allow.list | length > 0 + block: + - name: Create IP allow set for WAF. + community.aws.wafv2_ip_set: + name: "{{ _acl.acl_rules.ip_allow.name }}" + state: present + description: Set of allowed IPs + scope: "{{ _acl.acl_rules.scope }}" + region: "{{ _acl_region }}" + ip_address_version: IPV4 + addresses: "{{ _acl.acl_rules.ip_allow.list }}" + register: _ip_set_info + + - name: Create IP allow rule. + ansible.builtin.set_fact: + ip_allow_rule: + - name: "{{ _acl.acl_rules.ip_allow.name }}" + priority: 1 + action: + allow: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: Allow_IPs + statement: + ip_set_reference_statement: + arn: "{{ _ip_set_info.arn }}" + + - name: Add rule to list. + ansible.builtin.set_fact: + _acl_rules: "{{ _acl_rules + ip_allow_rule }}" + +- name: Set country block rule. + when: + - _acl.acl_rules.cc_block_list is defined + - _acl.acl_rules.cc_block_list | length > 0 + block: + - name: Create country block rule + ansible.builtin.set_fact: + cc_block_rule: + - name: block_countries + priority: 2 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: block_countries + statement: + geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated + country_codes: "{{ _acl.acl_rules.cc_block_list }}" + + - name: Add rule to list + ansible.builtin.set_fact: + _acl_rules: "{{ _acl_rules + cc_block_rule }}" + +# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) +- name: Set rate limit variable. + when: + - _acl.rate_limit is defined + - _acl.rate_limit > 0 + block: + - name: Set rate based statement from template + ansible.builtin.set_fact: + _rbs: "{{ lookup('ansible.builtin.template', './rate_limit.j2') | from_yaml }}" + + - name: Define rate rule. + ansible.builtin.set_fact: + rate_rule: + - name: Rate_limit + priority: 3 + action: + block: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: rate_limit + statement: + rate_based_statement: "{{ _rbs }}" + + - name: Add rule to list. + ansible.builtin.set_fact: + _acl_rules: "{{ _acl_rules + rate_rule}}" + +- name: Include task Bot Control. + when: + - _acl.acl_rules.botControl is defined + - _acl.acl_rules.botControl + ansible.builtin.include_tasks: + file: bot_control.yml + +- name: Create web acl. + community.aws.wafv2_web_acl: + name: "{{ _acl.acl_rules.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + description: "{{ _acl.acl_rules.description }}" + scope: "{{ _acl.acl_rules.scope }}" + region: "{{ _acl_region }}" + default_action: Allow # or "Block" + sampled_requests: false + cloudwatch_metrics: true # or "false" to disable metrics + metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) + rules: "{{ _acl_rules }}" + purge_rules: true + tags: "{{ _acl.acl_rules.tags }}" + state: present diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 0a75c2a5f..789765587 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,165 +1,21 @@ -- name: Define dict for rules. +- name: Define and set _acl_list to true. ansible.builtin.set_fact: - _acl_rules: [] + _acl_list: true -- name: Define region if scope is REGIONAL. +- name: Change _acl_list to false if aws_acl is dict. ansible.builtin.set_fact: - _acl_region: "{{ _aws_region }}" - when: aws_acl.scope == "REGIONAL" + _acl_list: false + when: aws_acl | type_debug == 'dict' -- name: Define region if scope is CLOUDFRONT. - ansible.builtin.set_fact: - _acl_region: "us-east-1" - when: aws_acl.scope == "CLOUDFRONT" - -- name: Set IP block rule. - when: - - aws_acl.ip_block is defined - - aws_acl.ip_block.list | length > 0 - block: - - name: Create IP block set for WAF. - community.aws.wafv2_ip_set: - name: "{{ aws_acl.ip_block.name }}" - state: present - description: Set of blocked IPs - scope: "{{ aws_acl.scope }}" - region: "{{ _acl_region }}" - ip_address_version: IPV4 - addresses: "{{ aws_acl.ip_block.list }}" - register: _ip_set_info - - - name: Create IP block rule. - ansible.builtin.set_fact: - ip_block_rule: - - name: "{{ aws_acl.ip_block.name }}" - priority: 0 - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: Block_IPs - statement: - ip_set_reference_statement: - arn: "{{ _ip_set_info.arn }}" - - - name: Add rule to list. - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + ip_block_rule }}" - -- name: Set IP allow rule. - when: - - aws_acl.ip_allow is defined - - aws_acl.ip_allow.list | length > 0 - block: - - name: Create IP allow set for WAF. - community.aws.wafv2_ip_set: - name: "{{ aws_acl.ip_allow.name }}" - state: present - description: Set of allowed IPs - scope: "{{ aws_acl.scope }}" - region: "{{ _acl_region }}" - ip_address_version: IPV4 - addresses: "{{ aws_acl.ip_allow.list }}" - register: _ip_set_info - - - name: Create IP allow rule. - ansible.builtin.set_fact: - ip_allow_rule: - - name: "{{ aws_acl.ip_allow.name }}" - priority: 1 - action: - allow: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: Allow_IPs - statement: - ip_set_reference_statement: - arn: "{{ _ip_set_info.arn }}" - - - name: Add rule to list. - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + ip_allow_rule }}" - -- name: Set country block rule. - when: - - aws_acl.cc_block_list is defined - - aws_acl.cc_block_list | length > 0 - block: - - name: Create country block rule - ansible.builtin.set_fact: - cc_block_rule: - - name: block_countries - priority: 2 - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: block_countries - statement: - geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated - country_codes: "{{ aws_acl.cc_block_list }}" - - - name: Add rule to list - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + cc_block_rule }}" - -# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) -- name: Set rate limit variable. +- name: Create ACLs when list is passed. + ansible.builtin.include_tasks: create_acl.yml when: - - rate_limit is defined - - rate_limit > 0 - block: - - name: Define rate rule. - ansible.builtin.set_fact: - rate_rule: - - name: rate_limit - priority: 3 - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: rate_limit - statement: - rate_based_statement: - limit: "{{ rate_limit }}" - aggregate_key_type: IP - - - name: Add rule to list. - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + rate_rule}}" + - _acl_list + loop: "{{ aws_acl }}" + loop_control: + loop_var: _acl -- name: Include task Bot Control. +- name: Set ACL to CF/ALB. + ansible.builtin.include_tasks: set_acl.yml when: - - aws_acl.botControl is defined - - aws_acl.botControl - ansible.builtin.include_tasks: - file: bot_control.yml - -- name: Create web acl. - community.aws.wafv2_web_acl: - name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ - description: "WAF protecting the {{ _domain_name }}" - scope: "{{ aws_acl.scope }}" - region: "{{ _acl_region }}" - default_action: Allow # or "Block" - sampled_requests: false - cloudwatch_metrics: true # or "false" to disable metrics - metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) - rules: "{{ _acl_rules }}" - purge_rules: true - tags: "{{ aws_acl.tags }}" - state: present - register: _created_acl - -- name: Add WAF to ALB. - community.aws.wafv2_resources: - name: "{{ aws_acl.name }}" - scope: REGIONAL - state: present - region: "{{ _acl_region }}" - arn: "{{ _aws_ec2_elb.load_balancer_arn }}" - when: _aws_ec2_elb is defined + - not _acl_list diff --git a/roles/aws/aws_acl/tasks/set_acl.yml b/roles/aws/aws_acl/tasks/set_acl.yml new file mode 100644 index 000000000..a00143413 --- /dev/null +++ b/roles/aws/aws_acl/tasks/set_acl.yml @@ -0,0 +1,14 @@ +- name: Create web acl. + community.aws.wafv2_web_acl_info: + name: "{{ aws_acl.name }}" + scope: "{{ aws_acl.scope }}" + register: _created_acl + +- name: Add WAF to ALB. + community.aws.wafv2_resources: + name: "{{ aws_acl.name }}" + scope: REGIONAL + state: present + region: "{{ _aws_region }}" + arn: "{{ _aws_ec2_elb.load_balancer_arn }}" + when: _aws_ec2_elb is defined diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 56d51405d..cf2b24c52 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -3,6 +3,7 @@ ansible.builtin.include_role: name: aws/aws_acl when: + - aws_acl.name is defined - aws_acl.scope is defined - aws_acl.scope == 'CLOUDFRONT' From f2f2c96c0796e185ede46796ba531e1509312ed1 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 15 May 2024 15:17:22 +0200 Subject: [PATCH 130/331] Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 --- docs/roles/aws/aws_acl.md | 56 ++++++++++++++------------- docs/roles/debian/nginx.md | 2 + roles/aws/aws_acl/README.md | 9 +---- roles/debian/nginx/README.md | 2 + roles/debian/nginx/defaults/main.yml | 2 + roles/debian/nginx/templates/proxy.j2 | 9 +++-- 6 files changed, 42 insertions(+), 38 deletions(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index 2022797f8..2fb609ca9 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -8,34 +8,36 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa ## Default variables ```yaml --- -rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking aws_acl: - name: example_master_acl - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} - - botControl: true - inspection: "COMMON" # or set to TARGETED inspection level - - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 - - cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia + - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + acl_rules: + name: example_master_acl # Name of the ACL + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + tags: {} + + botControl: false # Set to true to apply bot control + inspection: "COMMON" # or set to TARGETED inspection level + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 1890f2f3b..4ac7b8601 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -54,6 +54,8 @@ nginx: fastcgi_buffers: "8 256k" cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" + proxy_host: localhost + proxy_port: 8443 # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 1edfba012..2fb609ca9 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,7 +5,7 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables for creation of ACL (pass it as a list) +## Default variables ```yaml --- aws_acl: @@ -38,14 +38,7 @@ aws_acl: #- CN # China #- IR # Iran #- SA # Saudi Arabia -``` -## Default variables for assigning ACL to CF or ALB -```yaml ---- -aws_acl: - name: example_master_acl # Name of the ACL to apply - scope: CLOUDFRONT # Can be REGIONAL for ALBs ``` diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 1890f2f3b..4ac7b8601 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -54,6 +54,8 @@ nginx: fastcgi_buffers: "8 256k" cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" + proxy_host: localhost + proxy_port: 8443 # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index dc18d90ba..445527bb0 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -42,6 +42,8 @@ nginx: fastcgi_buffers: "8 256k" cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" + proxy_host: localhost + proxy_port: 8443 # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/nginx/templates/proxy.j2 b/roles/debian/nginx/templates/proxy.j2 index be1e87f82..7082396d9 100644 --- a/roles/debian/nginx/templates/proxy.j2 +++ b/roles/debian/nginx/templates/proxy.j2 @@ -1,3 +1,6 @@ -#location / { -#do something here -#} \ No newline at end of file +location / { + proxy_pass https://{{ nginx.http.proxy_host }}:{{ nginx.host.proxy_port }}/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect http:// https://; +} From bbad84fd7d71923359fe531197fe08efb0607af8 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 15 May 2024 17:10:37 +0200 Subject: [PATCH 131/331] Fixing-typo (#1676) --- roles/debian/nginx/templates/proxy.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/nginx/templates/proxy.j2 b/roles/debian/nginx/templates/proxy.j2 index 7082396d9..1b2888efe 100644 --- a/roles/debian/nginx/templates/proxy.j2 +++ b/roles/debian/nginx/templates/proxy.j2 @@ -1,5 +1,5 @@ location / { - proxy_pass https://{{ nginx.http.proxy_host }}:{{ nginx.host.proxy_port }}/; + proxy_pass https://{{ nginx.http.proxy_host }}:{{ nginx.http.proxy_port }}/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect http:// https://; From 2f749bf48c5e96896324ede7bb9322242454259f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:31 +0200 Subject: [PATCH 132/331] New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar --- roles/aws/_aws_network_info/tasks/subnet.yml | 2 +- roles/aws/aws_acl/README.md | 68 +++++--- roles/aws/aws_acl/defaults/main.yml | 53 +++--- roles/aws/aws_acl/tasks/bot_control.yml | 21 ++- roles/aws/aws_acl/tasks/create_acl.yml | 160 +++++++----------- roles/aws/aws_acl/tasks/cyber_sec.yml | 113 +++++++++++++ roles/aws/aws_acl/tasks/increase_priority.yml | 11 ++ roles/aws/aws_acl/tasks/ip_sets.yml | 39 +++++ roles/aws/aws_acl/tasks/main.yml | 18 +- roles/aws/aws_acl/tasks/regular_rule.yml | 34 ++++ roles/aws/aws_acl/tasks/set_acl.yml | 6 +- roles/aws/aws_acl/templates/rate_limit.j2 | 1 + roles/aws/aws_efs/tasks/subnet.yml | 2 +- roles/aws/aws_efs/tasks/target.yml | 2 +- roles/aws/aws_elb/tasks/main.yml | 2 +- roles/aws/aws_elb/tasks/subnet.yml | 2 +- .../aws_elb/tasks/target_group_instances.yml | 2 +- roles/aws/aws_iam_role/tasks/main.yml | 2 +- roles/aws/aws_rds/tasks/main.yml | 8 +- roles/aws/aws_s3_bucket/tasks/main.yml | 4 +- roles/aws/aws_security_groups/tasks/main.yml | 2 +- roles/aws/aws_vpc/tasks/main.yml | 2 +- roles/aws/aws_vpc/tasks/security_group.yml | 2 +- roles/aws/aws_vpc_route/tasks/route.yml | 2 +- roles/aws/aws_vpc_route/tasks/subnet.yml | 4 +- roles/aws/aws_vpc_route/tasks/vpc.yml | 4 +- .../aws_vpc_subnet/tasks/gateway.ipv4.nat.yml | 4 +- roles/aws/aws_vpc_subnet/tasks/subnet.yml | 4 +- roles/debian/ansible/tasks/main.yml | 2 +- roles/debian/apt_repository/tasks/main.yml | 2 +- roles/debian/ce_deploy/tasks/main.yml | 4 +- roles/debian/ce_provision/tasks/main.yml | 4 +- roles/debian/clamav/tasks/main.yml | 2 +- roles/debian/docker_ce/tasks/main.yml | 2 +- roles/debian/gitlab/tasks/main.yml | 4 +- roles/debian/gitlab_runner/tasks/main.yml | 2 +- .../mysql_server_oracle_ce/tasks/main.yml | 2 +- roles/debian/nginx/defaults/main.yml | 2 +- roles/debian/nodejs/tasks/main.yml | 2 +- roles/debian/php-common/tasks/main.yml | 2 +- roles/debian/python_boto/tasks/main.yml | 2 +- roles/debian/ssl/tasks/letsencrypt.yml | 4 +- roles/debian/ssl/tasks/main.yml | 2 +- roles/debian/ssl/tasks/manual.yml | 2 +- roles/debian/ssl/tasks/selfsigned.yml | 2 +- roles/debian/ssl/tasks/unmanaged.yml | 2 +- roles/debian/varnish_config/tasks/main.yml | 4 +- 47 files changed, 399 insertions(+), 223 deletions(-) create mode 100644 roles/aws/aws_acl/tasks/cyber_sec.yml create mode 100644 roles/aws/aws_acl/tasks/increase_priority.yml create mode 100644 roles/aws/aws_acl/tasks/ip_sets.yml create mode 100644 roles/aws/aws_acl/tasks/regular_rule.yml create mode 100644 roles/aws/aws_acl/templates/rate_limit.j2 diff --git a/roles/aws/_aws_network_info/tasks/subnet.yml b/roles/aws/_aws_network_info/tasks/subnet.yml index beaa03606..68b8a3610 100644 --- a/roles/aws/_aws_network_info/tasks/subnet.yml +++ b/roles/aws/_aws_network_info/tasks/subnet.yml @@ -9,4 +9,4 @@ - name: Add public subnet to the list. ansible.builtin.set_fact: - _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [ _aws_ecs_cluster_public_subnet.subnets[0].subnet_id ] }}" + _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [_aws_ecs_cluster_public_subnet.subnets[0].subnet_id] }}" diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 2fb609ca9..535ab39e4 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,40 +5,52 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables +## Default variables for creation of ACL (pass it as a list) ```yaml --- +--- aws_acl: - - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - acl_rules: - name: example_master_acl # Name of the ACL - description: "Master ACL for CF" - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} - - botControl: false # Set to true to apply bot control - inspection: "COMMON" # or set to TARGETED inspection level - - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + - name: example_master_acl + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" + tags: {} + rules: + rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + + ip_sets: + - name: "Allowed-ips-example" + action: allow + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + - name: "Blocked-ips-example" + action: block + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia + regular_rules: + - name: allow_panels + action: allow + string: "panels/ajax" + position: "CONTAINS" + +# cyber_sec: #Need to implement task +``` + +## Default variables for assigning ACL to CF or ALB +```yaml +--- +aws_acl: + name: example_master_acl # Name of the ACL to apply + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" ``` diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 00bd71412..7808982f8 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,31 +1,34 @@ --- aws_acl: - - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - acl_rules: - name: example_master_acl # Name of the ACL - description: "Master ACL for CF" - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} + - name: example_master_acl + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" + tags: {} + rules: + rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - botControl: false # Set to true to apply bot control - inspection: "COMMON" # or set to TARGETED inspection level + ip_sets: + - name: "Allowed-ips-example" + action: allow + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + - name: "Blocked-ips-example" + action: block + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 + cc_block_list: [] - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + regular_rules: + - name: allow_panels + action: allow + string: "panels/ajax" + position: "CONTAINS" - cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia +# cyber_sec: #Need to implement task diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index a3c86dda2..66dca0626 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -1,3 +1,4 @@ +--- - name: Define empty action rule list ansible.builtin.set_fact: _action_rules: [] @@ -59,7 +60,7 @@ action_to_use: block: {} - - name: Define empty action rule list + - name: Attach common action rules to list ansible.builtin.set_fact: _action_rules: "{{ _action_rules | default([]) + _action_rules_common }}" @@ -69,8 +70,8 @@ - a_w_s_managed_rules_bot_control_rule_set: inspection_level: "COMMON" -- name: Define rule actions targeted - when: aws_acl.inspection == "TARGETED" +- name: Define targeted actions rules + when: _acl.rules.botControl == "TARGETED" block: - name: Define targeted actions ansible.builtin.set_fact: @@ -97,7 +98,7 @@ action_to_use: block: {} - - name: Define empty action rule list + - name: Attach targeted action rules to list ansible.builtin.set_fact: _action_rules: "{{ _action_rules | default([]) + _action_rules_tgt }}" @@ -111,8 +112,7 @@ - name: Define Bot Control rule. ansible.builtin.set_fact: bot_control: - - name: bot_control - priority: 4 + name: bot_control # action: # block: {} override_action: @@ -128,6 +128,13 @@ managed_rule_group_configs: "{{ _rule_config }}" rule_action_overrides: "{{ _action_rules }}" +- name: Append priority to rule. + ansible.builtin.set_fact: + bot_control: "{{ bot_control | combine(_priority_dict) }}" + - name: Add rule to list. ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + bot_control}}" + _rules: "{{ _rules + [bot_control] }}" + +- name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index a4c7b86ff..bba4a4b7d 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -1,97 +1,35 @@ +--- - name: Define dict for rules. ansible.builtin.set_fact: - _acl_rules: [] + _rules: [] -- name: Define region if scope is REGIONAL. - ansible.builtin.set_fact: - _acl_region: "{{ _aws_region }}" - when: _acl.acl_rules.scope == "REGIONAL" +- name: Set priority counter + set_fact: + _priority: 0 + _priority_dict: {} -- name: Define region if scope is CLOUDFRONT. - ansible.builtin.set_fact: - _acl_region: "us-east-1" - when: _acl.acl_rules.scope == "CLOUDFRONT" +- name: Increase priority and set dict for 1st rule. + ansible.builtin.include_tasks: increase_priority.yml -- name: Set IP block rule. +# Priority is set to 0 here +- name: Create IP set rules. + ansible.builtin.include_tasks: ip_sets.yml when: - - _acl.acl_rules.ip_block is defined - - _acl.acl_rules.ip_block.list | length > 0 - block: - - name: Create IP block set for WAF. - community.aws.wafv2_ip_set: - name: "{{ _acl.acl_rules.ip_block.name }}" - state: present - description: Set of blocked IPs - scope: "{{ _acl.acl_rules.scope }}" - region: "{{ _acl_region }}" - ip_address_version: IPV4 - addresses: "{{ _acl.acl_rules.ip_block.list }}" - register: _ip_set_info - - - name: Create IP block rule. - ansible.builtin.set_fact: - ip_block_rule: - - name: "{{ _acl.acl_rules.ip_block.name }}" - priority: 0 - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: Block_IPs - statement: - ip_set_reference_statement: - arn: "{{ _ip_set_info.arn }}" - - - name: Add rule to list. - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + ip_block_rule }}" - -- name: Set IP allow rule. - when: - - _acl.acl_rules.ip_allow is defined - - _acl.acl_rules.ip_allow.list | length > 0 - block: - - name: Create IP allow set for WAF. - community.aws.wafv2_ip_set: - name: "{{ _acl.acl_rules.ip_allow.name }}" - state: present - description: Set of allowed IPs - scope: "{{ _acl.acl_rules.scope }}" - region: "{{ _acl_region }}" - ip_address_version: IPV4 - addresses: "{{ _acl.acl_rules.ip_allow.list }}" - register: _ip_set_info - - - name: Create IP allow rule. - ansible.builtin.set_fact: - ip_allow_rule: - - name: "{{ _acl.acl_rules.ip_allow.name }}" - priority: 1 - action: - allow: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: Allow_IPs - statement: - ip_set_reference_statement: - arn: "{{ _ip_set_info.arn }}" - - - name: Add rule to list. - ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + ip_allow_rule }}" + - _acl.rules.ip_sets is defined + - _acl.rules.ip_sets | length > 0 + loop: "{{ _acl.rules.ip_sets | list }}" + loop_control: + loop_var: _ip_set - name: Set country block rule. when: - - _acl.acl_rules.cc_block_list is defined - - _acl.acl_rules.cc_block_list | length > 0 + - _acl.rules.cc_block_list is defined + - _acl.rules.cc_block_list | length > 0 block: - name: Create country block rule ansible.builtin.set_fact: cc_block_rule: - - name: block_countries - priority: 2 + name: block_countries action: block: {} visibility_config: @@ -100,17 +38,24 @@ metric_name: block_countries statement: geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated - country_codes: "{{ _acl.acl_rules.cc_block_list }}" + country_codes: "{{ _acl.rules.cc_block_list }}" + + - name: Append priority to rule. + ansible.builtin.set_fact: + cc_block_rule: "{{ cc_block_rule | combine(_priority_dict) }}" - name: Add rule to list ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + cc_block_rule }}" + _rules: "{{ _rules + [cc_block_rule] }}" + + - name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) - name: Set rate limit variable. when: - - _acl.rate_limit is defined - - _acl.rate_limit > 0 + - _acl.rules.rate_limit is defined + - _acl.rules.rate_limit > 0 block: - name: Set rate based statement from template ansible.builtin.set_fact: @@ -119,8 +64,7 @@ - name: Define rate rule. ansible.builtin.set_fact: rate_rule: - - name: Rate_limit - priority: 3 + name: Rate_limit action: block: {} visibility_config: @@ -130,28 +74,48 @@ statement: rate_based_statement: "{{ _rbs }}" + - name: Append priority to rule. + ansible.builtin.set_fact: + rate_rule: "{{ rate_rule | combine(_priority_dict) }}" + - name: Add rule to list. ansible.builtin.set_fact: - _acl_rules: "{{ _acl_rules + rate_rule}}" + _rules: "{{ _rules + [rate_rule] }}" -- name: Include task Bot Control. - when: - - _acl.acl_rules.botControl is defined - - _acl.acl_rules.botControl + - name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml + +# Priority is set to 4 here +- name: Create Bot Control rule. + when: _acl.rules.botControl is defined ansible.builtin.include_tasks: file: bot_control.yml +# Priority is set to 5 here +- name: Create regular rules. + ansible.builtin.include_tasks: regular_rule.yml + when: + - _acl.rules.regular_rules is defined + - _acl.rules.regular_rules | length > 0 + loop: "{{ _acl.rules.regular_rules | list }}" + loop_control: + loop_var: _reg_rule + +- name: Create CyberSecurityCloudInc rule. + ansible.builtin.include_tasks: cyber_sec.yml + when: _acl.rules.cyber_sec is defined + - name: Create web acl. community.aws.wafv2_web_acl: - name: "{{ _acl.acl_rules.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ - description: "{{ _acl.acl_rules.description }}" - scope: "{{ _acl.acl_rules.scope }}" - region: "{{ _acl_region }}" + name: "{{ _acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + description: "{{ _acl.description }}" + scope: "{{ _acl.scope }}" + region: "{{ _acl.region }}" default_action: Allow # or "Block" sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) - rules: "{{ _acl_rules }}" + rules: "{{ _rules }}" purge_rules: true - tags: "{{ _acl.acl_rules.tags }}" + tags: "{{ _acl.tags }}" state: present diff --git a/roles/aws/aws_acl/tasks/cyber_sec.yml b/roles/aws/aws_acl/tasks/cyber_sec.yml new file mode 100644 index 000000000..978213b30 --- /dev/null +++ b/roles/aws/aws_acl/tasks/cyber_sec.yml @@ -0,0 +1,113 @@ +#{ +# "Name": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-", +# "Priority": 7, +# "Statement": { +# "ManagedRuleGroupStatement": { +# "VendorName": "Cyber Security Cloud Inc.", +# "Name": "CyberSecurityCloud-HighSecurityOWASPSet-", +# "ExcludedRules": [ +# { +# "Name": "bad_useragent-header-001" +# }, +# { +# "Name": "cookie-body-001" +# }, +# { +# "Name": "cookie-qs-001" +# }, +# { +# "Name": "drupal-multi-001" +# }, +# { +# "Name": "drupal-multi-002" +# }, +# { +# "Name": "joomla-multi-001" +# }, +# { +# "Name": "ldapi-url-001" +# }, +# { +# "Name": "nosqli-body-001" +# }, +# { +# "Name": "nosqli-qs-001" +# }, +# { +# "Name": "oracle-multi-001" +# }, +# { +# "Name": "oscommandi-body-001" +# }, +# { +# "Name": "oscommandi-qs-001" +# }, +# { +# "Name": "pathtraversal-body-001" +# }, +# { +# "Name": "pathtraversal-qs-001" +# }, +# { +# "Name": "pathtraversal-url-001" +# }, +# { +# "Name": "rails-header-001" +# }, +# { +# "Name": "sqli-body-001" +# }, +# { +# "Name": "sqli-body-002" +# }, +# { +# "Name": "sqli-qs-001" +# }, +# { +# "Name": "sqli-qs-002" +# }, +# { +# "Name": "sqli-url-001" +# }, +# { +# "Name": "ssrf-multi-001" +# }, +# { +# "Name": "struts-multi-001" +# }, +# { +# "Name": "struts-multi-002" +# }, +# { +# "Name": "struts-multi-003" +# }, +# { +# "Name": "suspicious_access-url-001" +# }, +# { +# "Name": "tomcat-multi-001" +# }, +# { +# "Name": "xss-body-001" +# }, +# { +# "Name": "xss-qs-001" +# }, +# { +# "Name": "xxe-ssci-body-001" +# }, +# { +# "Name": "xxe-ssci-qs-001" +# } +# ] +# } +# }, +# "OverrideAction": { +# "None": {} +# }, +# "VisibilityConfig": { +# "SampledRequestsEnabled": true, +# "CloudWatchMetricsEnabled": true, +# "MetricName": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-" +# } +#} diff --git a/roles/aws/aws_acl/tasks/increase_priority.yml b/roles/aws/aws_acl/tasks/increase_priority.yml new file mode 100644 index 000000000..1d305ab25 --- /dev/null +++ b/roles/aws/aws_acl/tasks/increase_priority.yml @@ -0,0 +1,11 @@ +- name: Increase counter + ansible.builtin.set_fact: + _priority: "{{ _priority | default(0) | int + 1 }}" + +- name: Set dict string + ansible.builtin.set_fact: + _priority_dict_string: "{ priority: {{ _priority }} }" + +- name: Set dict + ansible.builtin.set_fact: + _priority_dict: "{{ _priority_dict_string | from_yaml }}" diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml new file mode 100644 index 000000000..d4ba9b345 --- /dev/null +++ b/roles/aws/aws_acl/tasks/ip_sets.yml @@ -0,0 +1,39 @@ +--- +- name: Create IP set for WAF. + community.aws.wafv2_ip_set: + name: "{{ _ip_set.name }}" + state: present + description: Set of blocked IPs + scope: "{{ _acl.scope }}" + region: "{{ _acl.region }}" + ip_address_version: IPV4 + addresses: "{{ _ip_set.list }}" + register: _ip_set_info + +- name: Set action string + ansible.builtin.set_fact: + _action: "{ {{ _ip_set.action }}: {} }" + +- name: Create IP block rule. + ansible.builtin.set_fact: + ip_block_rule: + name: "{{ _ip_set.name }}" + action: "{{ _action | from_yaml }}" + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "{{ _ip_set.name }}" + statement: + ip_set_reference_statement: + arn: "{{ _ip_set_info.arn }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + ip_block_rule: "{{ ip_block_rule | combine(_priority_dict) }}" + +- name: Add rule to list. + ansible.builtin.set_fact: + _rules: "{{ _rules + [ip_block_rule] }}" + +- name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 789765587..d432c1d82 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,21 +1,11 @@ -- name: Define and set _acl_list to true. - ansible.builtin.set_fact: - _acl_list: true - -- name: Change _acl_list to false if aws_acl is dict. - ansible.builtin.set_fact: - _acl_list: false - when: aws_acl | type_debug == 'dict' - +--- - name: Create ACLs when list is passed. ansible.builtin.include_tasks: create_acl.yml - when: - - _acl_list - loop: "{{ aws_acl }}" + when: aws_acl | type_debug == 'list' + loop: "{{ aws_acl | list }}" loop_control: loop_var: _acl - name: Set ACL to CF/ALB. ansible.builtin.include_tasks: set_acl.yml - when: - - not _acl_list + when: aws_acl | type_debug == 'dict' diff --git a/roles/aws/aws_acl/tasks/regular_rule.yml b/roles/aws/aws_acl/tasks/regular_rule.yml new file mode 100644 index 000000000..f0a4ded0b --- /dev/null +++ b/roles/aws/aws_acl/tasks/regular_rule.yml @@ -0,0 +1,34 @@ +--- +- name: Set action string + ansible.builtin.set_fact: + _action: "{ {{ _reg_rule.action }}: {} }" + +- name: Create regular rule + ansible.builtin.set_fact: + regular_rule: + name: "{{ _reg_rule.name }}" + action: "{{ _action | from_yaml }}" + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "{{ _reg_rule.name }}" + statement: + byte_match_statement: + field_to_match: + uri_path: {} + positional_constraint: "{{ _reg_rule.position }}" + search_string: "{{ _reg_rule.string }}" + text_transformations: + - type: "NONE" + priority: 0 + +- name: Append priority to rule. + ansible.builtin.set_fact: + regular_rule: "{{ regular_rule | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [regular_rule] }}" + +- name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/set_acl.yml b/roles/aws/aws_acl/tasks/set_acl.yml index a00143413..3ea9077b1 100644 --- a/roles/aws/aws_acl/tasks/set_acl.yml +++ b/roles/aws/aws_acl/tasks/set_acl.yml @@ -1,13 +1,15 @@ -- name: Create web acl. +--- +- name: Find created web acl. community.aws.wafv2_web_acl_info: name: "{{ aws_acl.name }}" scope: "{{ aws_acl.scope }}" + region: "{{ aws_acl.region }}" register: _created_acl - name: Add WAF to ALB. community.aws.wafv2_resources: name: "{{ aws_acl.name }}" - scope: REGIONAL + scope: REGIONAL # WAF for ALBs are regional only state: present region: "{{ _aws_region }}" arn: "{{ _aws_ec2_elb.load_balancer_arn }}" diff --git a/roles/aws/aws_acl/templates/rate_limit.j2 b/roles/aws/aws_acl/templates/rate_limit.j2 new file mode 100644 index 000000000..410b0026f --- /dev/null +++ b/roles/aws/aws_acl/templates/rate_limit.j2 @@ -0,0 +1 @@ +{ limit: {{ _acl.rules.rate_limit }}, aggregate_key_type: IP } diff --git a/roles/aws/aws_efs/tasks/subnet.yml b/roles/aws/aws_efs/tasks/subnet.yml index 5daa24026..ca7eae818 100644 --- a/roles/aws/aws_efs/tasks/subnet.yml +++ b/roles/aws/aws_efs/tasks/subnet.yml @@ -9,4 +9,4 @@ - name: Add subnet id to the ids list. ansible.builtin.set_fact: - _aws_efs_subnets_ids: "{{ _aws_efs_subnets_ids + [ _aws_efs_subnet.subnets[0].subnet_id ] }}" + _aws_efs_subnets_ids: "{{ _aws_efs_subnets_ids + [_aws_efs_subnet.subnets[0].subnet_id] }}" diff --git a/roles/aws/aws_efs/tasks/target.yml b/roles/aws/aws_efs/tasks/target.yml index 117b9161f..5262e1f07 100644 --- a/roles/aws/aws_efs/tasks/target.yml +++ b/roles/aws/aws_efs/tasks/target.yml @@ -2,4 +2,4 @@ # _aws_security_group_list variable populated by the aws_security_groups role. - name: Add subnet to the list of EFS targets. ansible.builtin.set_fact: - _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list }}) }}" + _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list}}) }}" diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 59443e1b3..39286bf35 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -99,7 +99,7 @@ - name: Add HTTPS Listener. ansible.builtin.set_fact: - _aws_ec2_listeners: "{{ [ _aws_ec2_listeners_redirect, _aws_ec2_listeners_https ] }}" + _aws_ec2_listeners: "{{ [_aws_ec2_listeners_redirect, _aws_ec2_listeners_https] }}" when: _ssl_certificate_ARN | length > 1 - name: Add custom Listeners. diff --git a/roles/aws/aws_elb/tasks/subnet.yml b/roles/aws/aws_elb/tasks/subnet.yml index 102a0417a..bc2f0b63b 100644 --- a/roles/aws/aws_elb/tasks/subnet.yml +++ b/roles/aws/aws_elb/tasks/subnet.yml @@ -9,4 +9,4 @@ - name: Add public subnet to the list. ansible.builtin.set_fact: - _aws_ec2_elb_public_subnets_ids: "{{ _aws_ec2_elb_public_subnets_ids + [ _aws_ec2_elb_public_subnet.subnets[0].subnet_id ] }}" + _aws_ec2_elb_public_subnets_ids: "{{ _aws_ec2_elb_public_subnets_ids + [_aws_ec2_elb_public_subnet.subnets[0].subnet_id] }}" diff --git a/roles/aws/aws_elb/tasks/target_group_instances.yml b/roles/aws/aws_elb/tasks/target_group_instances.yml index cf2aed0b1..50e066af8 100644 --- a/roles/aws/aws_elb/tasks/target_group_instances.yml +++ b/roles/aws/aws_elb/tasks/target_group_instances.yml @@ -9,4 +9,4 @@ - name: Add instance to target group list. ansible.builtin.set_fact: - _targets: "{{ _targets + [ {'Id': _aws_ec2_target_group_instance.instances[0].instance_id, 'Port': target_group.targets_port} ] }}" + _targets: "{{ _targets + [{'Id': _aws_ec2_target_group_instance.instances[0].instance_id, 'Port': target_group.targets_port}] }}" diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index e82a47acb..2c2973e93 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -12,4 +12,4 @@ - name: Register aws_iam_role results. ansible.builtin.set_fact: - aws_iam_role: "{{ aws_iam_role | combine( { '_result': { aws_iam_role.name : _aws_iam_role_result } } ) }}" + aws_iam_role: "{{ aws_iam_role | combine({'_result': { aws_iam_role.name : _aws_iam_role_result}}) }}" diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index bac008c02..bf4720f5e 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -34,7 +34,7 @@ copy_tags_to_snapshot: true publicly_accessible: "{{ aws_rds.publicly_accessible }}" profile: "{{ aws_rds.aws_profile }}" - tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name + '-' + aws_rds.aurora_suffix }) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name + '-' + aws_rds.aurora_suffix}) }}" allow_major_version_upgrade: false apply_immediately: true wait: true @@ -54,7 +54,7 @@ copy_tags_to_snapshot: true publicly_accessible: "{{ aws_rds.publicly_accessible }}" profile: "{{ aws_rds.aws_profile }}" - tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name + '-' + aws_rds.aurora_reader_suffix }) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name + '-' + aws_rds.aurora_reader_suffix}) }}" allow_major_version_upgrade: false apply_immediately: true wait: true @@ -103,7 +103,7 @@ preferred_maintenance_window: "{{ aws_rds.preferred_maintenance_window | default(omit) }}" allow_major_version_upgrade: "{{ aws_rds.allow_major_version_upgrade }}" auto_minor_version_upgrade: "{{ aws_rds.auto_minor_version_upgrade | default(omit) }}" - tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name }) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name}) }}" state: "{{ aws_rds.state }}" apply_immediately: true wait: true @@ -199,7 +199,7 @@ - name: Add instance info. ansible.builtin.set_fact: - aws_rds_facts: "{{ aws_rds_facts | combine( {aws_rds.name: _rds_instance_info} ) }}" + aws_rds_facts: "{{ aws_rds_facts | combine({aws_rds.name: _rds_instance_info}) }}" - name: Assign resource to backup plan. ansible.builtin.include_role: diff --git a/roles/aws/aws_s3_bucket/tasks/main.yml b/roles/aws/aws_s3_bucket/tasks/main.yml index d5ae0ce71..8abcffa76 100644 --- a/roles/aws/aws_s3_bucket/tasks/main.yml +++ b/roles/aws/aws_s3_bucket/tasks/main.yml @@ -3,7 +3,7 @@ profile: "{{ aws_s3_bucket.aws_profile }}" region: "{{ aws_s3_bucket.region }}" name: "{{ aws_s3_bucket.name }}" - tags: "{{ aws_s3_bucket.tags | combine( { 'Name': aws_s3_bucket.name } ) }}" + tags: "{{ aws_s3_bucket.tags | combine({'Name': aws_s3_bucket.name}) }}" state: present register: _aws_s3_bucket_bucket @@ -24,4 +24,4 @@ - name: Register aws_s3_bucket results. ansible.builtin.set_fact: - aws_s3_bucket: "{{ aws_s3_bucket | combine( { '_result': { aws_s3_bucket.name : { 'bucket': _aws_s3_bucket_bucket, 'policy': _aws_s3_bucket_bucket_policy } } } ) }}" + aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name: {'bucket': _aws_s3_bucket_bucket, 'policy': _aws_s3_bucket_bucket_policy}}}) }}" diff --git a/roles/aws/aws_security_groups/tasks/main.yml b/roles/aws/aws_security_groups/tasks/main.yml index 1076d586f..c356e05a6 100644 --- a/roles/aws/aws_security_groups/tasks/main.yml +++ b/roles/aws/aws_security_groups/tasks/main.yml @@ -16,7 +16,7 @@ - name: Create list of security group IDs. ansible.builtin.set_fact: - _aws_security_group_ids: "{{ _aws_security_group_ids + [ item.group_id ] }}" + _aws_security_group_ids: "{{ _aws_security_group_ids + [item.group_id] }}" with_items: "{{ _aws_security_groups.security_groups }}" - name: Set return variable to SG names. diff --git a/roles/aws/aws_vpc/tasks/main.yml b/roles/aws/aws_vpc/tasks/main.yml index 40a4b899a..b800f039e 100644 --- a/roles/aws/aws_vpc/tasks/main.yml +++ b/roles/aws/aws_vpc/tasks/main.yml @@ -33,7 +33,7 @@ region: "{{ aws_vpc.region }}" vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" state: present - tags: "{{ aws_vpc.tags | combine({ 'Name': aws_vpc.name }) }}" + tags: "{{ aws_vpc.tags | combine({'Name': aws_vpc.name}) }}" register: _aws_vpc_gateway - name: Update Main route table. diff --git a/roles/aws/aws_vpc/tasks/security_group.yml b/roles/aws/aws_vpc/tasks/security_group.yml index d86ca9463..0c63b1063 100644 --- a/roles/aws/aws_vpc/tasks/security_group.yml +++ b/roles/aws/aws_vpc/tasks/security_group.yml @@ -3,7 +3,7 @@ name: "{{ security_group.name }}" profile: "{{ aws_vpc.aws_profile }}" region: "{{ aws_vpc.region }}" - tags: "{{ aws_vpc.tags | combine({ 'Name': security_group.name }) }}" + tags: "{{ aws_vpc.tags | combine({'Name': security_group.name}) }}" state: "{{ aws_vpc.state }}" vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" description: "{{ security_group.description }}" diff --git a/roles/aws/aws_vpc_route/tasks/route.yml b/roles/aws/aws_vpc_route/tasks/route.yml index e353623af..b54349ac7 100644 --- a/roles/aws/aws_vpc_route/tasks/route.yml +++ b/roles/aws/aws_vpc_route/tasks/route.yml @@ -13,5 +13,5 @@ - name: Add route to the list. ansible.builtin.set_fact: - _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { _aws_vpc_route_route.dest: _aws_vpc_route_route } ) }}" + _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({_aws_vpc_route_route.dest: _aws_vpc_route_route}) }}" when: ( route.gateway_id is undefined or route.gateway_id != 'local' ) diff --git a/roles/aws/aws_vpc_route/tasks/subnet.yml b/roles/aws/aws_vpc_route/tasks/subnet.yml index 051396b1f..c905ae540 100644 --- a/roles/aws/aws_vpc_route/tasks/subnet.yml +++ b/roles/aws/aws_vpc_route/tasks/subnet.yml @@ -21,14 +21,14 @@ - name: Add/replace subnets CIDR block routes. ansible.builtin.set_fact: - _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { new_route.dest: new_route } ) }}" + _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({new_route.dest: new_route}) }}" with_items: "{{ aws_vpc_route.routes }}" loop_control: loop_var: new_route - name: Construct final routes list. ansible.builtin.set_fact: - _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [ item.value ] }}" + _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [item.value] }}" with_items: "{{ _aws_vpc_route_routes | dict2items() }}" - name: Create new route table. diff --git a/roles/aws/aws_vpc_route/tasks/vpc.yml b/roles/aws/aws_vpc_route/tasks/vpc.yml index c6a1ca8c3..bd14e4d66 100644 --- a/roles/aws/aws_vpc_route/tasks/vpc.yml +++ b/roles/aws/aws_vpc_route/tasks/vpc.yml @@ -20,14 +20,14 @@ - name: Add/replace subnets CIDR block routes. ansible.builtin.set_fact: - _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { new_route.dest: new_route } ) }}" + _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({new_route.dest: new_route}) }}" with_items: "{{ aws_vpc_route.routes }}" loop_control: loop_var: new_route - name: Construct final routes list. ansible.builtin.set_fact: - _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [ item.value ] }}" + _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [item.value] }}" with_items: "{{ _aws_vpc_route_routes | dict2items() }}" - name: Add routes to route table. diff --git a/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml b/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml index 651692b68..d00bf8daf 100644 --- a/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml +++ b/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml @@ -12,7 +12,7 @@ amazon.aws.ec2_vpc_nat_gateway: profile: "{{ aws_vpc_subnet.aws_profile }}" region: "{{ aws_vpc_subnet.region }}" - tags: "{{ aws_vpc_subnet.tags | combine({ 'Name': subnet.name }) }}" + tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" subnet_id: "{{ _aws_vpc_subnet_subnet.subnet.id }}" wait: true allocation_id: "{{ _aws_vpc_subnet_eip.addresses[0].allocation_id | default(omit) }}" @@ -22,6 +22,6 @@ - name: Ensure EIP is tagged properly. amazon.aws.ec2_tag: resource: "{{ _aws_vpc_subnet_gateway.nat_gateway_addresses[0].allocation_id }}" - tags: "{{ aws_vpc_subnet.tags | combine({ 'Name': subnet.name }) }}" + tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" profile: "{{ aws_vpc_subnet.aws_profile }}" region: "{{ aws_vpc_subnet.region }}" diff --git a/roles/aws/aws_vpc_subnet/tasks/subnet.yml b/roles/aws/aws_vpc_subnet/tasks/subnet.yml index f486d1f17..53bc94f4b 100644 --- a/roles/aws/aws_vpc_subnet/tasks/subnet.yml +++ b/roles/aws/aws_vpc_subnet/tasks/subnet.yml @@ -22,7 +22,7 @@ cidr: "{{ subnet.cidr_block }}" ipv6_cidr: "{{ _ipv6_subnet_cidr if subnet.ipv6_cidr_block is defined and subnet.ipv6_cidr_block | length > 0 else '' }}" region: "{{ aws_vpc_subnet.region }}" - tags: "{{ aws_vpc_subnet.tags | combine( { 'Name': subnet.name } ) }}" + tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" az: "{{ aws_vpc_subnet.region }}{{ subnet.az }}" state: "{{ aws_vpc_subnet.state }}" vpc_id: "{{ _aws_vpc_subnet_vpc_id }}" @@ -38,7 +38,7 @@ name: "{{ subnet.name }}" profile: "{{ aws_vpc_subnet.aws_profile }}" region: "{{ aws_vpc_subnet.region }}" - tags: "{{ aws_vpc_subnet.tags | combine( { 'Name': subnet.name } ) }}" + tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" state: "{{ aws_vpc_subnet.state }}" vpc_id: "{{ _aws_vpc_subnet_vpc_id }}" description: "Allow internal traffic for subnet {{ subnet.name }}" diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 55ddd724d..e94c9eaaf 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -68,7 +68,7 @@ - name: Turn the timer string into a dictionary. ansible.builtin.set_fact: - _timer: "{{ _timer.splitlines()|map('from_yaml')|list }}" + _timer: "{{ _timer.splitlines() | map('from_yaml') | list }}" - name: Create systemd timer to upgrade Ansible. ansible.builtin.include_role: diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index 5d78f0853..df016422b 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -81,7 +81,7 @@ - name: Turn the timer string into a dictionary. ansible.builtin.set_fact: - _apt_repo_timer: "{{ _apt_repo_timer.splitlines()|map('from_yaml')|list }}" + _apt_repo_timer: "{{ _apt_repo_timer.splitlines() | map('from_yaml') | list }}" - name: Set up a systemd timer to refresh APT repository key. ansible.builtin.include_role: diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index fa94e8eaa..05611bf13 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -46,7 +46,7 @@ ansible.builtin.git: repo: "{{ ce_deploy.own_repository | default('https://github.com/codeenigma/ce-deploy.git') }}" dest: "{{ ce_deploy.local_dir }}" - version: "{{ ce_deploy.own_repository_branch | default('master') }}" + version: "{{ ce_deploy.own_repository_branch | default('master') }}" update: true accept_hostkey: true become: true @@ -57,7 +57,7 @@ repo: "{{ ce_deploy.config_repository }}" accept_hostkey: true dest: "{{ _ce_provision_build_tmp_dir }}/config" - version: "{{ ce_deploy.config_repository_branch | default('master') }}" + version: "{{ ce_deploy.config_repository_branch | default('master') }}" become: false delegate_to: localhost when: ce_deploy.config_repository is defined and ce_deploy.config_repository diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 56c0b59b7..e1d35126e 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -84,7 +84,7 @@ ansible.builtin.git: repo: "{{ ce_provision.own_repository | default('https://github.com/codeenigma/ce-provision.git') }}" dest: "{{ ce_provision.local_dir }}" - version: "{{ ce_provision.own_repository_branch | default('master') }}" + version: "{{ ce_provision.own_repository_branch | default('master') }}" update: true accept_hostkey: true #@todo? become: true @@ -97,7 +97,7 @@ repo: "{{ ce_provision.config_repository }}" accept_hostkey: true dest: "{{ ce_provision.local_dir }}/config" - version: "{{ ce_provision.config_repository_branch | default('master') }}" + version: "{{ ce_provision.config_repository_branch | default('master') }}" become: true become_user: "{{ ce_provision.username }}" when: diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml index 02e643781..eeaf31013 100644 --- a/roles/debian/clamav/tasks/main.yml +++ b/roles/debian/clamav/tasks/main.yml @@ -25,7 +25,7 @@ - name: Build a dictionary of timers for the systemd timers role. ansible.builtin.set_fact: - _clamav_timers: "{{ _clamav_timers | default({}) | combine( item ) }}" + _clamav_timers: "{{ _clamav_timers | default({}) | combine(item) }}" with_items: "{{ clamav.timers }}" when: clamav.timers | length > 0 diff --git a/roles/debian/docker_ce/tasks/main.yml b/roles/debian/docker_ce/tasks/main.yml index c189679a3..5a661682f 100644 --- a/roles/debian/docker_ce/tasks/main.yml +++ b/roles/debian/docker_ce/tasks/main.yml @@ -31,7 +31,7 @@ - name: Add Docker repository to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ docker_ce.apt_origin ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [docker_ce.apt_origin] }}" when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index 93efbb545..f98820592 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -52,7 +52,7 @@ - name: Add GitLab repository to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab.apt_origin ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}" when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable @@ -75,7 +75,7 @@ name: debian/ssl when: gitlab.ssl.enabled vars: - ssl: "{{ gitlab.ssl | combine( { 'domain': gitlab.server_name } ) }}" + ssl: "{{ gitlab.ssl | combine({'domain': gitlab.server_name}) }}" - name: Copy Gitlab configuration file. ansible.builtin.template: diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 7c9c28dc7..745daadc9 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -22,7 +22,7 @@ - name: Add GitLab Runner repository to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab_runner.apt_origin ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}" when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index 72254acca..b427af88c 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -33,7 +33,7 @@ - name: Add MySQL repository to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ mysql_server.apt_origin ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [mysql_server.apt_origin] }}" when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 445527bb0..5f6e7c7fe 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -51,7 +51,7 @@ nginx: # Main log stream for nginx (Cloudwatch). log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. # See php.fpm.unix_socket, if true use a socket here: - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index a71b5a6c9..027659df7 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -51,7 +51,7 @@ - name: Add nodejs and yarn repositories to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ nodejs.apt_origin_nodejs, nodejs.apt_origin_yarn ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [nodejs.apt_origin_nodejs, nodejs.apt_origin_yarn] }}" when: - apt_unattended_upgrades.enable is defined - apt_unattended_upgrades.enable diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index f26f21bac..15ff896a6 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -30,7 +30,7 @@ - name: Add Sury PHP repository to unattended-upgrades origins list. ansible.builtin.set_fact: - _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ php.apt_origin ] }}" + _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [php.apt_origin] }}" when: apt_unattended_upgrades.enable - name: Install the unattended-upgrades config. diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml index efa4d0153..282f8ef4a 100644 --- a/roles/debian/python_boto/tasks/main.yml +++ b/roles/debian/python_boto/tasks/main.yml @@ -5,7 +5,7 @@ - name: Set specific boto3 version to install. ansible.builtin.set_fact: - _boto3_install_package: "boto3=={{ python_boto.boto3_version}}" + _boto3_install_package: "boto3=={{ python_boto.boto3_version }}" when: - python_boto.boto3_version | length > 0 diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index c40faef68..96d38a867 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -7,7 +7,7 @@ - name: Set LetsEncrypt variables. ansible.builtin.set_fact: _ssl_web_server: "{{ ssl.web_server | default('standalone') }}" - _ssl_services: "{{ ssl.services | default ([]) }}" + _ssl_services: "{{ ssl.services | default([]) }}" # @todo - add support for Route 53 DNS plugin - name: "Ensure certbot-{{ _ssl_web_server }} plugin is installed." @@ -23,7 +23,7 @@ - name: Add key/cert pairs to know paths information. ansible.builtin.set_fact: - ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '/fullchain.pem', 'key': _ssl_base_path + '/' + certificate_domain + '/privkey.pem' } }) }}" + ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '/fullchain.pem', 'key': _ssl_base_path + '/' + certificate_domain + '/privkey.pem'}}) }}" with_items: "{{ _ssl_domains }}" loop_control: loop_var: certificate_domain diff --git a/roles/debian/ssl/tasks/main.yml b/roles/debian/ssl/tasks/main.yml index 2b4f7bcc9..fa2abe07e 100644 --- a/roles/debian/ssl/tasks/main.yml +++ b/roles/debian/ssl/tasks/main.yml @@ -9,7 +9,7 @@ - name: Catch legacy implementations with ssl.domain set. # @todo: this can be removed in a later release ansible.builtin.set_fact: - _ssl_domains: "{{ [ ssl.domain ] }}" + _ssl_domains: "{{ [ssl.domain] }}" when: ssl.domain is defined - name: Generates SSL keys. diff --git a/roles/debian/ssl/tasks/manual.yml b/roles/debian/ssl/tasks/manual.yml index 66d610450..aa2bd5f73 100644 --- a/roles/debian/ssl/tasks/manual.yml +++ b/roles/debian/ssl/tasks/manual.yml @@ -10,7 +10,7 @@ - name: Add key/cert pairs to know paths information. ansible.builtin.set_fact: - ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'ca_certificate': _ssl_base_path + '/' + certificate_domain + '.CA.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key' } }) }}" + ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'ca_certificate': _ssl_base_path + '/' + certificate_domain + '.CA.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key'}}) }}" with_items: "{{ _ssl_domains }}" loop_control: loop_var: certificate_domain diff --git a/roles/debian/ssl/tasks/selfsigned.yml b/roles/debian/ssl/tasks/selfsigned.yml index aee133dd6..28508d0c7 100644 --- a/roles/debian/ssl/tasks/selfsigned.yml +++ b/roles/debian/ssl/tasks/selfsigned.yml @@ -10,7 +10,7 @@ - name: Add key/cert pairs to know paths information. ansible.builtin.set_fact: - ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key' } }) }}" + ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key'}}) }}" with_items: "{{ _ssl_domains }}" loop_control: loop_var: certificate_domain diff --git a/roles/debian/ssl/tasks/unmanaged.yml b/roles/debian/ssl/tasks/unmanaged.yml index 37c55fb06..bad2a6833 100644 --- a/roles/debian/ssl/tasks/unmanaged.yml +++ b/roles/debian/ssl/tasks/unmanaged.yml @@ -1,7 +1,7 @@ --- - name: Add key/cert pairs to know paths information. ansible.builtin.set_fact: - ssl_facts: "{{ ssl_facts | combine({ certificate_domain:{ 'certificate': ssl.cert, 'key': ssl.key } }) }}" + ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'certificate': ssl.cert, 'key': ssl.key}}) }}" with_items: "{{ _ssl_domains }}" loop_control: loop_var: certificate_domain diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml index 7f8929355..362d33824 100644 --- a/roles/debian/varnish_config/tasks/main.yml +++ b/roles/debian/varnish_config/tasks/main.yml @@ -11,5 +11,5 @@ - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2" - "default.vcl.j2" notify: - - reload systemd - - restart varnish + - Reload systemd + - Restart varnish From 913470995f3280d55a905f6cb7fa2e87e63b460a Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 21 May 2024 11:13:27 +0200 Subject: [PATCH 133/331] Updating-nginx-template (#1688) --- roles/debian/nginx/tasks/main.yml | 1 + roles/debian/nginx/templates/blank.j2 | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 roles/debian/nginx/templates/blank.j2 diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 270551a90..afce9a655 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -81,6 +81,7 @@ - symfony3_prod - symfony4 - wordpress + - blank - name: Ensure log dir exists. ansible.builtin.file: diff --git a/roles/debian/nginx/templates/blank.j2 b/roles/debian/nginx/templates/blank.j2 new file mode 100644 index 000000000..47768dd92 --- /dev/null +++ b/roles/debian/nginx/templates/blank.j2 @@ -0,0 +1,3 @@ +#location / { +#do something here +#} From 09f1332cdf336f9c3d40a517b4bb93b49c0cc486 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 22 May 2024 05:24:13 +0200 Subject: [PATCH 134/331] Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/resource.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index efd063b96..c0c7277cf 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -33,7 +33,7 @@ - name: Set IAM role ARN for backups. ansible.builtin.set_fact: - _iam_role_arn: "{{ _aws_iam_role_result.arn }}" + _iam_role_arn: "{{ _aws_iam_role_result.iam_role.arn }}" when: aws_backup.backup.iam_role_arn == "Default" - name: Set IAM role ARN for backups. From e4f16ee63214ee07f85c867ce60ca7ee2d77f30f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 22 May 2024 05:51:26 +0200 Subject: [PATCH 135/331] Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar --- roles/debian/nginx/tasks/domain.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml index 77229701e..f6116b1b1 100644 --- a/roles/debian/nginx/tasks/domain.yml +++ b/roles/debian/nginx/tasks/domain.yml @@ -32,7 +32,7 @@ # Create a basic htauth file if a username is supplied. - name: Create basic htauth file. - community.general.web_infrastructure.htpasswd: + community.general.htpasswd: path: "/etc/nginx/passwords/{{ domain.server_name }}.htpasswd" name: "{{ domain.basic_auth.auth_user }}" password: "{{ _nginx_htauth_pass }}" From c3913a9b2f37b7493d1456937c8caae772f9e91c Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 22 May 2024 13:23:10 +0200 Subject: [PATCH 136/331] Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. --- roles/debian/lhci/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml index a2a24d7f8..6c7a3a038 100644 --- a/roles/debian/lhci/tasks/main.yml +++ b/roles/debian/lhci/tasks/main.yml @@ -52,7 +52,7 @@ state: present - name: Install "lhci/cli" node.js package. - community.general.packaging.language.npm: + community.general.npm: name: "@lhci/cli" version: "{{ lhci.cli_version | default(omit) }}" state: "{{ lhci.cli_state | default(omit) }}" @@ -60,7 +60,7 @@ global: true - name: Install "lighthouse" node.js package. - community.general.packaging.language.npm: + community.general.npm: name: "lighthouse" version: "{{ lhci.lighthouse_version | default(omit) }}" state: "{{ lhci.lighthouse_state | default(omit) }}" From 76560e93fcefa393a9d12c5bcf598c19f6dc595f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 23 May 2024 09:49:32 +0200 Subject: [PATCH 137/331] r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/tasks/bot_control.yml | 2 - roles/aws/aws_acl/tasks/create_acl.yml | 12 +- roles/aws/aws_acl/tasks/cyber_sec.yml | 171 ++++++------------ roles/aws/aws_acl/tasks/increase_priority.yml | 1 + .../tasks/env_resource_group.yml | 36 ++++ roles/aws/aws_resource_group/tasks/main.yml | 8 + .../tasks/resource_group.yml | 36 ++++ .../templates/env_res_query.j2 | 4 + .../aws_resource_group/templates/res_query.j2 | 4 + 9 files changed, 152 insertions(+), 122 deletions(-) create mode 100644 roles/aws/aws_resource_group/tasks/env_resource_group.yml create mode 100644 roles/aws/aws_resource_group/tasks/main.yml create mode 100644 roles/aws/aws_resource_group/tasks/resource_group.yml create mode 100644 roles/aws/aws_resource_group/templates/env_res_query.j2 create mode 100644 roles/aws/aws_resource_group/templates/res_query.j2 diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index 66dca0626..5e8cdb730 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -113,8 +113,6 @@ ansible.builtin.set_fact: bot_control: name: bot_control -# action: -# block: {} override_action: none: {} visibility_config: diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index bba4a4b7d..404bcc805 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -11,7 +11,6 @@ - name: Increase priority and set dict for 1st rule. ansible.builtin.include_tasks: increase_priority.yml -# Priority is set to 0 here - name: Create IP set rules. ansible.builtin.include_tasks: ip_sets.yml when: @@ -37,7 +36,7 @@ cloud_watch_metrics_enabled: true metric_name: block_countries statement: - geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated + geo_match_statement: country_codes: "{{ _acl.rules.cc_block_list }}" - name: Append priority to rule. @@ -51,7 +50,6 @@ - name: Increase priority. ansible.builtin.include_tasks: increase_priority.yml -# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) - name: Set rate limit variable. when: - _acl.rules.rate_limit is defined @@ -85,13 +83,11 @@ - name: Increase priority. ansible.builtin.include_tasks: increase_priority.yml -# Priority is set to 4 here - name: Create Bot Control rule. when: _acl.rules.botControl is defined ansible.builtin.include_tasks: file: bot_control.yml -# Priority is set to 5 here - name: Create regular rules. ansible.builtin.include_tasks: regular_rule.yml when: @@ -103,11 +99,13 @@ - name: Create CyberSecurityCloudInc rule. ansible.builtin.include_tasks: cyber_sec.yml - when: _acl.rules.cyber_sec is defined + when: + - _acl.rules.cyber_sec is defined + - _acl.rules.cyber_sec - name: Create web acl. community.aws.wafv2_web_acl: - name: "{{ _acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ + name: "{{ _acl.name }}" description: "{{ _acl.description }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" diff --git a/roles/aws/aws_acl/tasks/cyber_sec.yml b/roles/aws/aws_acl/tasks/cyber_sec.yml index 978213b30..deb556e3e 100644 --- a/roles/aws/aws_acl/tasks/cyber_sec.yml +++ b/roles/aws/aws_acl/tasks/cyber_sec.yml @@ -1,113 +1,58 @@ -#{ -# "Name": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-", -# "Priority": 7, -# "Statement": { -# "ManagedRuleGroupStatement": { -# "VendorName": "Cyber Security Cloud Inc.", -# "Name": "CyberSecurityCloud-HighSecurityOWASPSet-", -# "ExcludedRules": [ -# { -# "Name": "bad_useragent-header-001" -# }, -# { -# "Name": "cookie-body-001" -# }, -# { -# "Name": "cookie-qs-001" -# }, -# { -# "Name": "drupal-multi-001" -# }, -# { -# "Name": "drupal-multi-002" -# }, -# { -# "Name": "joomla-multi-001" -# }, -# { -# "Name": "ldapi-url-001" -# }, -# { -# "Name": "nosqli-body-001" -# }, -# { -# "Name": "nosqli-qs-001" -# }, -# { -# "Name": "oracle-multi-001" -# }, -# { -# "Name": "oscommandi-body-001" -# }, -# { -# "Name": "oscommandi-qs-001" -# }, -# { -# "Name": "pathtraversal-body-001" -# }, -# { -# "Name": "pathtraversal-qs-001" -# }, -# { -# "Name": "pathtraversal-url-001" -# }, -# { -# "Name": "rails-header-001" -# }, -# { -# "Name": "sqli-body-001" -# }, -# { -# "Name": "sqli-body-002" -# }, -# { -# "Name": "sqli-qs-001" -# }, -# { -# "Name": "sqli-qs-002" -# }, -# { -# "Name": "sqli-url-001" -# }, -# { -# "Name": "ssrf-multi-001" -# }, -# { -# "Name": "struts-multi-001" -# }, -# { -# "Name": "struts-multi-002" -# }, -# { -# "Name": "struts-multi-003" -# }, -# { -# "Name": "suspicious_access-url-001" -# }, -# { -# "Name": "tomcat-multi-001" -# }, -# { -# "Name": "xss-body-001" -# }, -# { -# "Name": "xss-qs-001" -# }, -# { -# "Name": "xxe-ssci-body-001" -# }, -# { -# "Name": "xxe-ssci-qs-001" -# } -# ] -# } -# }, -# "OverrideAction": { -# "None": {} -# }, -# "VisibilityConfig": { -# "SampledRequestsEnabled": true, -# "CloudWatchMetricsEnabled": true, -# "MetricName": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-" -# } -#} +--- +- name: Create regular rule + ansible.builtin.set_fact: + cyber_sec_rule: + name: "CyberSecurityCloud-HighSecurityOWASPSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "CyberSecurityCloud-HighSecurityOWASPSet" + statement: + managed_rule_group_statement: + vendor_name: "Cyber Security Cloud Inc." + name: "CyberSecurityCloud-HighSecurityOWASPSet-" + excluded_rules: + - name: "bad_useragent-header-001" + - name: "cookie-body-001" + - name: "cookie-qs-001" + - name: "drupal-multi-001" + - name: "drupal-multi-002" + - name: "joomla-multi-001" + - name: "ldapi-url-001" + - name: "nosqli-body-001" + - name: "nosqli-qs-001" + - name: "oracle-multi-001" + - name: "oscommandi-body-001" + - name: "oscommandi-qs-001" + - name: "pathtraversal-body-001" + - name: "pathtraversal-qs-001" + - name: "pathtraversal-url-001" + - name: "rails-header-001" + - name: "sqli-body-001" + - name: "sqli-body-002" + - name: "sqli-qs-001" + - name: "sqli-qs-002" + - name: "sqli-url-001" + - name: "ssrf-multi-001" + - name: "struts-multi-001" + - name: "struts-multi-002" + - name: "struts-multi-003" + - name: "suspicious_access-url-001" + - name: "tomcat-multi-001" + - name: "xss-body-001" + - name: "xss-qs-001" + - name: "xxe-ssci-body-001" + - name: "xxe-ssci-qs-001" + +- name: Append priority to rule. + ansible.builtin.set_fact: + cyber_sec_rule: "{{ cyber_sec_rule | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [cyber_sec_rule] }}" + +- name: Increase priority. + ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/increase_priority.yml b/roles/aws/aws_acl/tasks/increase_priority.yml index 1d305ab25..8085e0d07 100644 --- a/roles/aws/aws_acl/tasks/increase_priority.yml +++ b/roles/aws/aws_acl/tasks/increase_priority.yml @@ -1,3 +1,4 @@ +--- - name: Increase counter ansible.builtin.set_fact: _priority: "{{ _priority | default(0) | int + 1 }}" diff --git a/roles/aws/aws_resource_group/tasks/env_resource_group.yml b/roles/aws/aws_resource_group/tasks/env_resource_group.yml new file mode 100644 index 000000000..76650d3d6 --- /dev/null +++ b/roles/aws/aws_resource_group/tasks/env_resource_group.yml @@ -0,0 +1,36 @@ +--- +- name: Get resource group + ansible.builtin.command: "aws resource-groups get-group --group-name {{ _env_type }}_resource_group --region {{ _aws_region }}" # --profile dummy + register: _res_group + failed_when: "('Cannot find group' not in _res_group.stderr) and (_res_group.stderr != '')" + +- name: Create resource group if not existant + when: _res_group.stderr != '' + block: + - name: Remove resource query file + ansible.builtin.file: + path: /home/controller/env_res_query.json + state: absent + + - name: Create resource query file + ansible.builtin.template: + src: templates/env_res_query.j2 + dest: /home/controller/env_res_query.json + + - name: Create resource group + ansible.builtin.command: > + aws resource-groups create-group + --name {{ _env_type }}_resource_group + --resource-query file:///home/controller/env_res_query.json + --region {{ _aws_region }} + --description "Resource group for {{ _env_type }} environment." + +- name: Update resource group if it exist + when: _res_group.stderr == '' + block: + - name: Create resource group + ansible.builtin.command: > + aws resource-groups update-group + --group-name {{ _env_type }}_resource_group + --region {{ _aws_region }} + --description "Resource group for {{ _env_type }} environment." diff --git a/roles/aws/aws_resource_group/tasks/main.yml b/roles/aws/aws_resource_group/tasks/main.yml new file mode 100644 index 000000000..dff5e22bf --- /dev/null +++ b/roles/aws/aws_resource_group/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Run tasks for environment build + ansible.builtin.include_tasks: env_resource_group.yml + when: _aws_resource_name is not defined + +#- name: Run tasks for resource build +# ansible.builtin.include_tasks: resource_group.yml +# when: _aws_resource_name is defined diff --git a/roles/aws/aws_resource_group/tasks/resource_group.yml b/roles/aws/aws_resource_group/tasks/resource_group.yml new file mode 100644 index 000000000..02b0c0676 --- /dev/null +++ b/roles/aws/aws_resource_group/tasks/resource_group.yml @@ -0,0 +1,36 @@ +--- +- name: Get resource group + ansible.builtin.command: "aws resource-groups get-group --group-name {{ _aws_resource_name }}_resource_group --region {{ _aws_region }}" # --profile dummy + register: _res_group + failed_when: "('Cannot find group' not in _res_group.stderr) and (_res_group.stderr != '')" + +- name: Create resource group if not existant + when: _res_group.stderr != '' + block: + - name: Remove resource query file + ansible.builtin.file: + path: /home/controller/res_query.json + state: absent + + - name: Create resource query file + ansible.builtin.template: + src: templates/res_query.j2 + dest: /home/controller/res_query.json + + - name: Create resource group + ansible.builtin.command: > + aws resource-groups create-group + --name {{ _aws_resource_name }}_resource_group + --resource-query file:///home/controller/res_query.json + --region {{ _aws_region }} + --description "Resource group for {{ _aws_resource_name }}" + +- name: Update resource group if it exist + when: _res_group.stderr == '' + block: + - name: Create resource group + ansible.builtin.command: > + aws resource-groups update-group + --group-name {{ _aws_resource_name }}_resource_group + --region {{ _aws_region }} + --description "Resource group for {{ _aws_resource_name }}" diff --git a/roles/aws/aws_resource_group/templates/env_res_query.j2 b/roles/aws/aws_resource_group/templates/env_res_query.j2 new file mode 100644 index 000000000..b49bb0458 --- /dev/null +++ b/roles/aws/aws_resource_group/templates/env_res_query.j2 @@ -0,0 +1,4 @@ +{ + "Type": "TAG_FILTERS_1_0", + "Query": "{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Env\", \"Values\":[\"{{ _env_type }}\"]}]}" +} diff --git a/roles/aws/aws_resource_group/templates/res_query.j2 b/roles/aws/aws_resource_group/templates/res_query.j2 new file mode 100644 index 000000000..b49bb0458 --- /dev/null +++ b/roles/aws/aws_resource_group/templates/res_query.j2 @@ -0,0 +1,4 @@ +{ + "Type": "TAG_FILTERS_1_0", + "Query": "{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Env\", \"Values\":[\"{{ _env_type }}\"]}]}" +} From 872aa49d8c2a8354be07b27ca07ae6298dba39cb Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 24 May 2024 12:34:46 +0200 Subject: [PATCH 138/331] Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. --- docs/roles.md | 11 ++- docs/roles/_init.md | 2 + docs/roles/aws.md | 89 +++++++++++++++++++ docs/roles/aws/aws_acl.md | 57 ++++++------ docs/roles/debian/nginx.md | 2 +- roles/README.md | 11 ++- roles/_exit/tasks/main.yml | 5 ++ roles/_init/README.md | 2 + roles/_init/defaults/main.yml | 2 + roles/_init/tasks/main.yml | 22 ++++- roles/aws/README.md | 89 +++++++++++++++++++ roles/aws/aws_acl/README.md | 11 +-- .../aws_ec2_autoscale_cluster/tasks/main.yml | 37 ++++++++ roles/debian/nginx/README.md | 2 +- 14 files changed, 298 insertions(+), 44 deletions(-) diff --git a/docs/roles.md b/docs/roles.md index ebb5ead67..74cb10f9c 100644 --- a/docs/roles.md +++ b/docs/roles.md @@ -1,10 +1,17 @@ # Roles Ansible roles and group of roles that constitute the deploy stack. + -# Required variables for AWS roles -You must pass the following variables into an Ansible play before running it with ce-provision if you intend to use the AWS subset of roles: +## Required variables +All environments require the following variable to be set by CI or at the terminal command: +* `_env_type` - the type of environment, e.g. development, production, etc. +## Required variables for AWS roles +You must pass the following additional variables into an Ansible play before running it with ce-provision if you intend to use the AWS subset of roles: * `_aws_profile` - the Boto3 profile to use * `_aws_region` - the AWS region to act in +* `_aws_resource_name` - the name of the variables directory, which will match the Ansible host group created by the AWS discovery plugin + +Please also read carefully the AWS README file at `docs/roles/AWS.md`. diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 4abd58990..2770a4ada 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -25,6 +25,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + lock_file: /tmp/ce-provision-lock + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to diff --git a/docs/roles/aws.md b/docs/roles/aws.md index 0fb65158e..aa8456d4c 100644 --- a/docs/roles/aws.md +++ b/docs/roles/aws.md @@ -1,7 +1,96 @@ # AWS Infrastructure +These roles help you manage assets in AWS. Because these roles are AWS specific, you should not try to use them in a non-AWS environment. There are also some quite specific variables we expect to exist, specifically: + +* `_aws_region` +* `_aws_profile` +* `_aws_resource_name` + +## Hosts and groups handling +These roles assume you use the AWS EC2 inventory plugin to automatically build inventory: +* https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_ec2_inventory.html + +This can be loaded via your `ansible.cfg` file in your config repository. + +You should place a file called `aws_ec2.yml` in the `hosts` directory of your config repository. Our standard file looks like this: + +```yaml +plugin: amazon.aws.aws_ec2 +filters: + tag:Ansible: managed +keyed_groups: + - key: tags.Name + prefix: "" + - key: tags.Env + prefix: "" + - key: tags.Profile + prefix: "" + - key: tags.Infra + prefix: "" +``` + +### How it works +The plugin is loading all EC2 instances that are tagged with `Ansible: managed` and then grouping them by the tags `Name`, `Env`, `Profile` and `Infra`. Any hyphens in tags are automatically converted to underscores, and the prefixing convention is taken from the default behaviour of the `ansible.builtin.constructed` plugin, which you can read here - note specifically the `leading_separator` parameter and its documentation: +* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/constructed_inventory.html#parameter-leading_separator + +Consequently, because we group all infra by the `Name` tag, effectively our inventory will always contain a group consisting of the name of that machine, prefixed with an underscore, for example the server named `web1-example-com` would end up in a group of one instance like this: + +``` + |--@_web1_example_com: + | |--ec2-1-112-233-9.eu-west-1.compute.amazonaws.com +``` + +In this way we can act on a specific host or group of hosts by invoking its unique group, for example you can use a line like this at the top of your infrastructure plays to load the target(s) using a group name: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true +``` + +### Debugging and viewing hosts +You can view the graphed *default* infrastructure from the command line of a controller with a command like this when logged in as the `ce-provision` user, usually `controller`: + +``` +ansible-inventory -i ~/ce-provision/hosts/aws_ec2.yml --graph +``` + +If you wanted to see the inventory for another boto profile you need to set the `AWS_PROFILE` environment variable. For example, this would graph the `acme` profile's inventory: + +``` +AWS_PROFILE=acme ansible-inventory -i ~/ce-provision/hosts/aws_ec2.yml --graph +``` + +You will note there are other groupings, for example you can call all the `_prod` infrastructure because there is also a grouping against the `Env` tag, or you can call all the `_web` servers because they are also grouped by `Profile`, and so on. + +### Unmanaged infra +If you want a host that is not tagged with `Ansible: managed` in AWS, or indeed not in AWS at all, to be "known" to Ansible you need to add it to `hosts.yml` in your config repo. + +### Using group_vars +Once you understand this, the `group_vars` directory within your config repository starts to make sense. You can set variables that apply to any group that gets created automatically by the inventory plugin, for example, if you have a test infrastructure called `test` you can have a `hosts/group_vars/_test` folder containing variables which will apply to *every single server* in the `test` infra and take precedence over the defaults, which you can define in `hosts/group_vars/all`. Similarly we might have a `_production` folder containing variables for every server tagged in a `production` environment, regardless of infra. + +You can play with tags in your plugin config to create the combinations and groupings you need. + +## Connection types +There are two different patterns for acting on AWS infrastructure. When you are connecting to an existing server and manipulating the standard packages, such as you would with any other server, you can make your playbook start like this for auto-discovery: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true +``` + +However, when you are *building* AWS infrastructure and manipulating things via the AWS API, most of your actions need to occur on the controller, because your individual servers do not have the AWS API credentials. To achieve this, while retaining the necessary group variables, we use this pattern: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + connection: local + become: false +``` + +The last two lines are very important, `connection: local` tells Ansible to stay on the controller and `become: false` tells it to stay as the `controller` user which has the AWS credentials available to it. + +If you need to carry out tasks on the remote server(s) during an AWS infrastructure build you will need to set `connection: ssh` on a task level so the action occurs on the intended target. diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index 2fb609ca9..a318bad7b 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -9,35 +9,38 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa ```yaml --- aws_acl: - - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - acl_rules: - name: example_master_acl # Name of the ACL - description: "Master ACL for CF" - scope: CLOUDFRONT # Can be REGIONAL for ALBs - tags: {} - - botControl: false # Set to true to apply bot control - inspection: "COMMON" # or set to TARGETED inspection level - - ip_allow: - name: "Allowed-ips" - list: [] - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - ip_block: - name: "Blocked-ips" - list: [] - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + - name: example_master_acl + description: "Master ACL for CF" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" + tags: {} + rules: + rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + + ip_sets: + - name: "Allowed-ips-example" + action: allow + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + - name: "Blocked-ips-example" + action: block + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 cc_block_list: [] - #- BY # Belarus - #- CN # China - #- IR # Iran - #- SA # Saudi Arabia + + regular_rules: + - name: allow_panels + action: allow + string: "panels/ajax" + position: "CONTAINS" + +# cyber_sec: #Need to implement task ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 4ac7b8601..3b63015da 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -63,7 +63,7 @@ nginx: # Main log stream for nginx (Cloudwatch). log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. # See php.fpm.unix_socket, if true use a socket here: - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/README.md b/roles/README.md index ebb5ead67..74cb10f9c 100644 --- a/roles/README.md +++ b/roles/README.md @@ -1,10 +1,17 @@ # Roles Ansible roles and group of roles that constitute the deploy stack. + -# Required variables for AWS roles -You must pass the following variables into an Ansible play before running it with ce-provision if you intend to use the AWS subset of roles: +## Required variables +All environments require the following variable to be set by CI or at the terminal command: +* `_env_type` - the type of environment, e.g. development, production, etc. +## Required variables for AWS roles +You must pass the following additional variables into an Ansible play before running it with ce-provision if you intend to use the AWS subset of roles: * `_aws_profile` - the Boto3 profile to use * `_aws_region` - the AWS region to act in +* `_aws_resource_name` - the name of the variables directory, which will match the Ansible host group created by the AWS discovery plugin + +Please also read carefully the AWS README file at `docs/roles/AWS.md`. diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index d39e7751c..7cf1901a5 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -18,3 +18,8 @@ ansible.builtin.apt: autoremove: true become: true + +- name: Delete the lock file. + ansible.builtin.file: + path: "{{ _init.lock_file }}" + state: absent diff --git a/roles/_init/README.md b/roles/_init/README.md index 4abd58990..2770a4ada 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -25,6 +25,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + lock_file: /tmp/ce-provision-lock + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 5e38419ea..d267a49e7 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -15,6 +15,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false + lock_file: /tmp/ce-provision-lock + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy ce_provision_version: 2.x # Outputted by the _init role at the start of plays. # Although these variables logically belong with ce_provision, the _init role needs to diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 41ad78d11..485fdfa5f 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -3,13 +3,33 @@ ansible.builtin.debug: msg: "Using ce-provision {{ _init.ce_provision_version }}" +# See roles/aws/aws_ec2_autoscale_cluster for lock handling in ASGs. +- name: Check for a ce-deploy lock file. + ansible.builtin.stat: + path: "{{ _init.deploy_lock_file }}" + register: _ce_deploy_lock + +- name: Abort if ce-deploy lock file exists. + when: _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists + block: + - name: Abort if ce-deploy lock file is found. + ansible.builtin.debug: + msg: "ce-deploy lock file discovered, a deployment is in progress! If this is not the case, login to the affected server and delete the file at {{ _init.deploy_lock_file }}." + - ansible.builtin.meta: end_play + - name: Check OS family. when: ansible_os_family != "Debian" block: - name: Abort if target is not a Debian server. ansible.builtin.debug: msg: "ce-provision currently only supports Debian based distributions of Linux." - - ansible.builtin.meta: end_host + - ansible.builtin.meta: end_play + +- name: Set a lock file. + ansible.builtin.file: + path: "{{ _init.lock_file }}" + state: touch + mode: 0644 # Load Linux services into ansible_facts.services. - name: Populate service facts diff --git a/roles/aws/README.md b/roles/aws/README.md index 0fb65158e..aa8456d4c 100644 --- a/roles/aws/README.md +++ b/roles/aws/README.md @@ -1,7 +1,96 @@ # AWS Infrastructure +These roles help you manage assets in AWS. Because these roles are AWS specific, you should not try to use them in a non-AWS environment. There are also some quite specific variables we expect to exist, specifically: + +* `_aws_region` +* `_aws_profile` +* `_aws_resource_name` + +## Hosts and groups handling +These roles assume you use the AWS EC2 inventory plugin to automatically build inventory: +* https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_ec2_inventory.html + +This can be loaded via your `ansible.cfg` file in your config repository. + +You should place a file called `aws_ec2.yml` in the `hosts` directory of your config repository. Our standard file looks like this: + +```yaml +plugin: amazon.aws.aws_ec2 +filters: + tag:Ansible: managed +keyed_groups: + - key: tags.Name + prefix: "" + - key: tags.Env + prefix: "" + - key: tags.Profile + prefix: "" + - key: tags.Infra + prefix: "" +``` + +### How it works +The plugin is loading all EC2 instances that are tagged with `Ansible: managed` and then grouping them by the tags `Name`, `Env`, `Profile` and `Infra`. Any hyphens in tags are automatically converted to underscores, and the prefixing convention is taken from the default behaviour of the `ansible.builtin.constructed` plugin, which you can read here - note specifically the `leading_separator` parameter and its documentation: +* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/constructed_inventory.html#parameter-leading_separator + +Consequently, because we group all infra by the `Name` tag, effectively our inventory will always contain a group consisting of the name of that machine, prefixed with an underscore, for example the server named `web1-example-com` would end up in a group of one instance like this: + +``` + |--@_web1_example_com: + | |--ec2-1-112-233-9.eu-west-1.compute.amazonaws.com +``` + +In this way we can act on a specific host or group of hosts by invoking its unique group, for example you can use a line like this at the top of your infrastructure plays to load the target(s) using a group name: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true +``` + +### Debugging and viewing hosts +You can view the graphed *default* infrastructure from the command line of a controller with a command like this when logged in as the `ce-provision` user, usually `controller`: + +``` +ansible-inventory -i ~/ce-provision/hosts/aws_ec2.yml --graph +``` + +If you wanted to see the inventory for another boto profile you need to set the `AWS_PROFILE` environment variable. For example, this would graph the `acme` profile's inventory: + +``` +AWS_PROFILE=acme ansible-inventory -i ~/ce-provision/hosts/aws_ec2.yml --graph +``` + +You will note there are other groupings, for example you can call all the `_prod` infrastructure because there is also a grouping against the `Env` tag, or you can call all the `_web` servers because they are also grouped by `Profile`, and so on. + +### Unmanaged infra +If you want a host that is not tagged with `Ansible: managed` in AWS, or indeed not in AWS at all, to be "known" to Ansible you need to add it to `hosts.yml` in your config repo. + +### Using group_vars +Once you understand this, the `group_vars` directory within your config repository starts to make sense. You can set variables that apply to any group that gets created automatically by the inventory plugin, for example, if you have a test infrastructure called `test` you can have a `hosts/group_vars/_test` folder containing variables which will apply to *every single server* in the `test` infra and take precedence over the defaults, which you can define in `hosts/group_vars/all`. Similarly we might have a `_production` folder containing variables for every server tagged in a `production` environment, regardless of infra. + +You can play with tags in your plugin config to create the combinations and groupings you need. + +## Connection types +There are two different patterns for acting on AWS infrastructure. When you are connecting to an existing server and manipulating the standard packages, such as you would with any other server, you can make your playbook start like this for auto-discovery: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true +``` + +However, when you are *building* AWS infrastructure and manipulating things via the AWS API, most of your actions need to occur on the controller, because your individual servers do not have the AWS API credentials. To achieve this, while retaining the necessary group variables, we use this pattern: + +```yaml +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + connection: local + become: false +``` + +The last two lines are very important, `connection: local` tells Ansible to stay on the controller and `become: false` tells it to stay as the `controller` user which has the AWS credentials available to it. + +If you need to carry out tasks on the remote server(s) during an AWS infrastructure build you will need to set `connection: ssh` on a task level so the action occurs on the intended target. diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 535ab39e4..a318bad7b 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,10 +5,9 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables for creation of ACL (pass it as a list) +## Default variables ```yaml --- ---- aws_acl: - name: example_master_acl description: "Master ACL for CF" @@ -42,15 +41,7 @@ aws_acl: position: "CONTAINS" # cyber_sec: #Need to implement task -``` -## Default variables for assigning ACL to CF or ALB -```yaml ---- -aws_acl: - name: example_master_acl # Name of the ACL to apply - scope: CLOUDFRONT # Can be REGIONAL for ALBs - region: "us-east-1" ``` diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 45f0479e9..e6abb61fd 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -1,3 +1,30 @@ +--- +# With ASGs the lock behaviour in _init will not work, we need to do it here. +- name: Check for a ce-deploy lock file. + ansible.builtin.stat: + path: "{{ _init.deploy_lock_file }}" + register: _ce_deploy_lock + connection: ssh + run_once: true + when: aws_ec2_autoscale_cluster.type == "ec2" + +- name: Abort if ce-deploy lock file exists. + when: + - _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists + block: + - name: Abort if ce-deploy lock file is found. + ansible.builtin.debug: + msg: "ce-deploy lock file discovered, a deployment is in progress! If this is not the case, login to the affected server and delete the file at {{ _init.deploy_lock_file }}." + - ansible.builtin.meta: end_play + +- name: Set a lock file on each ASG machine. + ansible.builtin.file: + path: "{{ _init.lock_file }}" + state: touch + mode: 0644 + connection: ssh + when: aws_ec2_autoscale_cluster.type == "ec2" + # @todo Do we still need that? Used by AMI and LC, # but probably could simply use the base name. - name: Define unique name for resources. @@ -755,3 +782,13 @@ when: - aws_ec2_autoscale_cluster.route_53.zone is defined - aws_ec2_autoscale_cluster.route_53.zone | length > 0 + +# We only need to remove the lock file if the machines will not be replaced. +- name: Remove the lock file on each ASG machine. + ansible.builtin.file: + path: "{{ _init.lock_file }}" + state: absent + connection: ssh + when: + - aws_ec2_autoscale_cluster.type == "ec2" + - not aws_ec2_autoscale_cluster.asg_refresh diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 4ac7b8601..3b63015da 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -63,7 +63,7 @@ nginx: # Main log stream for nginx (Cloudwatch). log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. # See php.fpm.unix_socket, if true use a socket here: - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 From 51278322158373103b6d6b462018ead12b6f0a6a Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 27 May 2024 16:30:33 +0200 Subject: [PATCH 139/331] Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. --- docs/roles/debian/phpmyadmin.md | 6 ++++-- roles/debian/phpmyadmin/README.md | 6 ++++-- roles/debian/phpmyadmin/defaults/main.yml | 3 ++- roles/debian/phpmyadmin/meta/main.yml | 1 - roles/debian/phpmyadmin/tasks/main.yml | 5 +++++ 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/docs/roles/debian/phpmyadmin.md b/docs/roles/debian/phpmyadmin.md index 3c329c981..7eeb9bcca 100644 --- a/docs/roles/debian/phpmyadmin.md +++ b/docs/roles/debian/phpmyadmin.md @@ -1,7 +1,7 @@ # phpMyAdmin -This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` and `debian/nginx` so do review their variables and set what you need prior to running a first build with `phpmyadmin`. +This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` so do review the variables for PHP and set what you need prior to running a first build with `phpmyadmin`. -Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: +Similarly, it can optionally install `debian/nginx` if you set `phpmyadmin.install_nginx: true`, so if you do that be sure to provide a sensible NGINX config. Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: ```yaml nginx: @@ -54,6 +54,8 @@ phpmyadmin: # Assuming user and group should match php-fpm by default www_user: "{{ php.fpm.pool_user }}" www_group: "{{ php.fpm.pool_group }}" + install_nginx: false + ``` diff --git a/roles/debian/phpmyadmin/README.md b/roles/debian/phpmyadmin/README.md index 3c329c981..7eeb9bcca 100644 --- a/roles/debian/phpmyadmin/README.md +++ b/roles/debian/phpmyadmin/README.md @@ -1,7 +1,7 @@ # phpMyAdmin -This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` and `debian/nginx` so do review their variables and set what you need prior to running a first build with `phpmyadmin`. +This role only installs phpMyAdmin ready for configuration, it does not do any active configuration, nor does it create the necessary NGINX vhost. It will install `debian/php-fpm` so do review the variables for PHP and set what you need prior to running a first build with `phpmyadmin`. -Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: +Similarly, it can optionally install `debian/nginx` if you set `phpmyadmin.install_nginx: true`, so if you do that be sure to provide a sensible NGINX config. Here is an example NGINX vhost config you can copy to your `nginx.yml` file and adjust as required: ```yaml nginx: @@ -54,6 +54,8 @@ phpmyadmin: # Assuming user and group should match php-fpm by default www_user: "{{ php.fpm.pool_user }}" www_group: "{{ php.fpm.pool_group }}" + install_nginx: false + ``` diff --git a/roles/debian/phpmyadmin/defaults/main.yml b/roles/debian/phpmyadmin/defaults/main.yml index 00960891a..24fbc46b3 100644 --- a/roles/debian/phpmyadmin/defaults/main.yml +++ b/roles/debian/phpmyadmin/defaults/main.yml @@ -5,4 +5,5 @@ phpmyadmin: install_path: "/home/{{ ce_deploy.username }}/deploy" # Assuming user and group should match php-fpm by default www_user: "{{ php.fpm.pool_user }}" - www_group: "{{ php.fpm.pool_group }}" \ No newline at end of file + www_group: "{{ php.fpm.pool_group }}" + install_nginx: false diff --git a/roles/debian/phpmyadmin/meta/main.yml b/roles/debian/phpmyadmin/meta/main.yml index 54ffd52ed..d0cf08b3d 100644 --- a/roles/debian/phpmyadmin/meta/main.yml +++ b/roles/debian/phpmyadmin/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - - role: debian/nginx - role: debian/php-fpm diff --git a/roles/debian/phpmyadmin/tasks/main.yml b/roles/debian/phpmyadmin/tasks/main.yml index 474e867fb..b3fac7e2d 100644 --- a/roles/debian/phpmyadmin/tasks/main.yml +++ b/roles/debian/phpmyadmin/tasks/main.yml @@ -17,3 +17,8 @@ ansible.builtin.command: cmd: "/usr/local/bin/phpmyadmin.sh -u -v {{ phpmyadmin.version }}" when: phpmyadmin.method == 'upgrade' + +- name: Install the NGINX web server. + ansible.builtin.include_role: + name: debian/nginx + when: phpmyadmin.install_nginx From d3b057e6e2c69b19a31cc2d6b52fc2228fd5c292 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 27 May 2024 16:50:10 +0200 Subject: [PATCH 140/331] Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! --- .ansible-lint | 1 + roles/debian/varnish_config/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 71d7648cc..390760f80 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -13,5 +13,6 @@ skip_list: - fqcn-builtins - template-instead-of-copy # to skip over roles/ssl/tasks/copy.yml errors, temporarily. - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me. + - name[casing] # sometimes included Galaxy roles break linting rules and cause failures exclude_paths: - roles/debian/wazuh/ # imported role uses yes/no instead of true/false so always fails diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml index 362d33824..ad6d2836e 100644 --- a/roles/debian/varnish_config/tasks/main.yml +++ b/roles/debian/varnish_config/tasks/main.yml @@ -11,5 +11,5 @@ - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2" - "default.vcl.j2" notify: - - Reload systemd - - Restart varnish + - reload systemd # handlers in https://github.com/geerlingguy/ansible-role-varnish/blob/master/handlers/main.yml + - restart varnish From 65f72f43b69ec6d7042ab50017c918908d4dc5e1 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 10:11:38 +0200 Subject: [PATCH 141/331] Creating a ce-provision installer script. (#1724) --- docs/roles/debian/ce_deploy.md | 1 + docs/roles/debian/ce_provision.md | 1 + install.sh | 340 ++++++++++++++++++++ roles/debian/ce_deploy/README.md | 1 + roles/debian/ce_deploy/defaults/main.yml | 1 + roles/debian/ce_deploy/tasks/main.yml | 1 + roles/debian/ce_provision/README.md | 1 + roles/debian/ce_provision/defaults/main.yml | 1 + roles/debian/ce_provision/tasks/main.yml | 1 + 9 files changed, 348 insertions(+) create mode 100755 install.sh diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index f9e55b15f..5b670c7fd 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -17,6 +17,7 @@ ce_deploy: install_username: "{{ _ce_deploy.username }}" upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. + aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 2c43271f7..b6d2e52af 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -16,6 +16,7 @@ ce_provision: #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. + aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user diff --git a/install.sh b/install.sh new file mode 100755 index 000000000..1cdcd6a17 --- /dev/null +++ b/install.sh @@ -0,0 +1,340 @@ +#!/bin/sh +set -e + +# Load OS information. +# shellcheck source=/dev/null +. /etc/os-release + +usage(){ + echo 'install.sh [OPTIONS]' + echo 'Install the latest ce-provision version, or the version specified as option.' + echo 'Please ensure you are using Debian Linux or similar and at least Bullseye (11) or higher.' + echo '' + echo 'Available options:' + echo '--version: ce-provision version to use (default: 2.x)' + echo '--user: Ansible controller user (default: controller)' + echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' + echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' + echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab URL to install)' + echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' + echo '--aws: enable AWS support' + echo '' +} + +# Parse options arguments. +parse_options(){ + while [ "${1:-}" ]; do + case "$1" in + "--version") + shift + VERSION="$1" + ;; + "--user") + shift + CONTROLLER_USER="$1" + ;; + "--config") + shift + CONFIG_REPO="$1" + ;; + "--config-branch") + shift + CONFIG_REPO_BRANCH="$1" + ;; + "--gitlab") + shift + GITLAB_URL="$1" + ;; + "--letsencrypt") + LE_SUPPORT="yes" + ;; + "--aws") + AWS_SUPPORT="true" + ;; + *) + usage + exit 1 + ;; + esac + shift + done +} + +# Set default variables. +VERSION="2.x" +CONTROLLER_USER="controller" +CONFIG_REPO="https://github.com/codeenigma/ce-provision-config-example.git" +CONFIG_REPO_BRANCH="1.x" +GITLAB_URL="no" +LE_SUPPORT="no" +AWS_SUPPORT="false" +SERVER_HOSTNAME=$(hostname) + +# Parse options. +parse_options "$@" + +# Set the hostname for Git email to our GitLab URL, if set. +if [ "$GITLAB_URL" != "no" ]; then + SERVER_HOSTNAME=$GITLAB_URL +fi + +# Check root user. +if [ "$(id -u)" -ne 0 ] + then echo "Please run this script as root or using sudo!" + exit +fi + +# Check we are using a compatible Linux distribution. +if [ "$ID" != "debian" ]; then + if [ "$ID_LIKE" != "debian" ]; then + echo "ce-provision only supports Debian Linux and derivatives." + exit 0 + else + echo "ce-provision works best with Debian Linux, it may work with this distro but no promises!" + echo "-------------------------------------------------" + echo "Carrying on regardless..." + echo "-------------------------------------------------" + fi +fi + +echo "Beginning ce-provision installation." +echo "-------------------------------------------------" + +# Create required user. +echo "Check if user named $CONTROLLER_USER exists." +# Check if user exists +if id "$CONTROLLER_USER" >/dev/null 2>&1; then + echo "The user named $CONTROLLER_USER already exists. Skipping." +else + # User not found so let's create them. + echo "Create user named $CONTROLLER_USER." + /usr/sbin/useradd -s /bin/bash "$CONTROLLER_USER" + echo "$CONTROLLER_USER":"$CONTROLLER_USER" | chpasswd -m + install -m 755 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER" + install -m 700 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER"/.ssh + echo root:"$CONTROLLER_USER" | chpasswd -m + echo "$CONTROLLER_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$CONTROLLER_USER" + chmod 0440 /etc/sudoers.d/"$CONTROLLER_USER" +fi +echo "-------------------------------------------------" + +# Install APT packages. +echo "Install required packages." +echo "-------------------------------------------------" +/usr/bin/apt-get update +/usr/bin/apt-get dist-upgrade -y -o Dpkg::Options::="--force-confnew" +/usr/bin/apt-get install -y -o Dpkg::Options::="--force-confnew" \ + git ca-certificates git-lfs \ + openssh-client nfs-common stunnel4 \ + python3-venv python3-debian \ + zip unzip gzip tar dnsutils +echo "-------------------------------------------------" + +# Install Ansible in a Python virtual environment. +echo "Install Ansible and dependencies." +echo "-------------------------------------------------" +su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ansible" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip3 install ansible netaddr" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-galaxy collection install ansible.posix --force" +if [ "$AWS_SUPPORT" = "true" ]; then + su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip3 install boto3" +fi +echo "-------------------------------------------------" + +# Install ce-provision. +echo "Install ce-provision." +echo "-------------------------------------------------" +if [ ! -d "/home/$CONTROLLER_USER/ce-provision" ]; then + su - "$CONTROLLER_USER" -c "git clone --branch $VERSION https://github.com/codeenigma/ce-provision.git /home/$CONTROLLER_USER/ce-provision" +else + echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." + echo "-------------------------------------------------" +fi +# Create playbook. +/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL +--- +- hosts: "localhost" + become: true + vars_files: + - vars.yml + tasks: + - name: Install ce-provision. + ansible.builtin.import_role: + name: debian/ce_provision + - name: Install iptables firewall. + ansible.builtin.import_role: + name: debian/firewall_config +EOL +# Create vars file. +/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +_domain_name: ${SERVER_HOSTNAME} +_ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data +_ce_provision_username: ${CONTROLLER_USER} +ce_provision: + venv_path: /home/${CONTROLLER_USER}/ansible + venv_command: /usr/bin/python3 -m venv + venv_install_username: ${CONTROLLER_USER} + upgrade_timer_name: upgrade_ce_provision_ansible + aws_support: ${AWS_SUPPORT} + new_user: ${CONTROLLER_USER} + username: ${CONTROLLER_USER} + public_key_name: id_rsa.pub + own_repository: "https://github.com/codeenigma/ce-provision.git" + own_repository_branch: "${VERSION}" + own_repository_skip_checkout: false + local_dir: "/home/${CONTROLLER_USER}/ce-provision" + config_repository: "${CONFIG_REPO}" + config_repository_branch: "${CONFIG_REPO_BRANCH}" + config_repository_skip_checkout: false + groups: [] + contrib_roles: + - directory: wazuh + repo: https://github.com/wazuh/wazuh-ansible.git + branch: "v4.7.2" + - directory: systemd_timers + repo: https://github.com/vlcty/ansible-systemd-timers.git + branch: master + galaxy_custom_requirements_file: "" + upgrade_galaxy: + enabled: true + command: "/home/${CONTROLLER_USER}/ansible/bin/ansible-galaxy collection install --force" + on_calendar: "Mon *-*-* 04:00:00" +firewall_config: + purge: true + firewall_state: started + firewall_enabled_at_boot: true + firewall_enable_ipv6: false + firewall_log_dropped_packets: true + firewall_disable_ufw: true + firewall_allowed_tcp_ports: [] + rulesets: + - ssh_open + - web_open + ssh_open: + firewall_allowed_tcp_ports: + - "22" + web_open: + firewall_allowed_tcp_ports: + - "80" + - "443" +EOL +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" +echo "-------------------------------------------------" + +# Install GitLab +if [ "$GITLAB_URL" != "no" ]; then + echo "Install GitLab." + echo "-------------------------------------------------" + # Create playbook. + /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL +--- +- hosts: "localhost" + become: true + vars_files: + - vars.yml + tasks: + - name: Install GitLab Runner. + ansible.builtin.import_role: + name: debian/gitlab_runner + - name: Install GitLab. + ansible.builtin.import_role: + name: debian/gitlab +EOL + # Create vars file. + /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +gitlab_runner: + apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=\${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey + concurrent_jobs: 10 + check_interval: 0 + session_timeout: 1800 + runners: [] + install_fargate: false + restart: false + username: "${CONTROLLER_USER}" + docker_group: "docker" + runner_workingdir: "/home/${CONTROLLER_USER}/build" + runner_config: "/etc/gitlab-runner/config.toml" +gitlab: + apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=\${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades + apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey + server_name: "${GITLAB_URL}" + email: "gitlab@${GITLAB_URL}" + gitlab_route_53: + zone: "" + linux_user: git + linux_group: git + linux_uid: nil + linux_gid: nil + linux_shell: /bin/sh + linux_user_home: /var/opt/gitlab + username: GitLab + email: "gitlab@${GITLAB_URL}" + default_theme: 1 + disable_signup: true + disable_signin: false + private_projects: true + unicorn_worker_processes: 2 + puma_worker_processes: 2 + initial_root_password: "Ch@ng3m3" + ldap: + enable: false + mattermost: false + omniauth: false + prometheus: "true" + node_exporter: "true" + alertmanager: "true" + nginx: + enable: true + listen_port: 443 + listen_https: 443 + client_max_body_size: "250m" + redirect_http_to_https: "true" + redirect_http_to_https_port: 80 + custom_nginx_config: "" +EOL + if [ "$LE_SUPPORT" = "yes" ]; then + echo "Will try to create an SSL certificate with LetsEncrypt." + echo "*** THIS STEP WILL FAIL IF YOUR DNS IS NOT CORRECT! ***" + if [ -n "$(dig +short "$GITLAB_URL".)" ]; then + echo "DNS record found, attempting LetsEncrypt request..." + # Write GitLab vars with LE for SSL + cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + letsencrypt: "true" + ssl: + enabled: false +EOT + echo "-------------------------------------------------" + else + echo "No DNS found for provided URL, will create a self-signed certificate instead." + # Write GitLab vars with self-signed SSL + cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + letsencrypt: "false" + ssl: + enabled: true + handling: selfsigned + replace_existing: false +EOT + echo "-------------------------------------------------" + fi + else + # Write GitLab vars with self-signed SSL + echo "Create a self-signed SSL certificate." + cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + letsencrypt: "false" + ssl: + enabled: true + handling: selfsigned + replace_existing: false +EOT + echo "-------------------------------------------------" + fi + su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + echo "-------------------------------------------------" +else + echo "GitLab not requested. Skipping." + echo "-------------------------------------------------" +fi +rm "/home/$CONTROLLER_USER/ce-provision/vars.yml" +rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" +echo "DONE." diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index f9e55b15f..5b670c7fd 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -17,6 +17,7 @@ ce_deploy: install_username: "{{ _ce_deploy.username }}" upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. + aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 1dc9ba5b3..878d94b07 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -9,6 +9,7 @@ ce_deploy: install_username: "{{ _ce_deploy.username }}" upgrade_timer_name: upgrade_ce_deploy_ansible # Other ce-deploy settings. + aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user key_name: id_rsa.pub # existing users may have a key of a different name username: "{{ _ce_deploy.username }}" diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 05611bf13..9852e8744 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -141,6 +141,7 @@ - name: Install python_boto. ansible.builtin.include_role: name: debian/python_boto + when: ce_deploy.aws_support - name: Add Python virtual environment to $PATH. ansible.builtin.copy: diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 2c43271f7..b6d2e52af 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -16,6 +16,7 @@ ce_provision: #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. + aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 5b02954f9..7c2add082 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -7,6 +7,7 @@ ce_provision: #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible # Other ce-provision settings. + aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index e1d35126e..d19b458cc 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -199,6 +199,7 @@ - name: Install python_boto. ansible.builtin.include_role: name: debian/python_boto + when: ce_provision.aws_support - name: Ensure dnspython, certifi and pyopenssl are installed. ansible.builtin.include_role: From e8c73f2faaa80d50200d1bc1e91af3ac8f9da8bb Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 10:23:51 +0200 Subject: [PATCH 142/331] Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. --- docs/install.md | 46 ++++++++++++++++++-------------- install/.gitignore | 1 - install/README.md | 46 ++++++++++++++++++-------------- install/example.vars.yml | 12 --------- install/self-update.yml | 57 ---------------------------------------- 5 files changed, 52 insertions(+), 110 deletions(-) delete mode 100644 install/.gitignore delete mode 100644 install/example.vars.yml delete mode 100644 install/self-update.yml diff --git a/docs/install.md b/docs/install.md index 96bb46fc5..ad89a940b 100644 --- a/docs/install.md +++ b/docs/install.md @@ -1,29 +1,35 @@ # Install -You can install either: -- through [ce-provision](https://github.com/codeenigma/ce-provision) -- manually by running a local playbook -- with Docker (soon) +The simplest way to install is using the installation script provided in the root of this repository, `install.sh`. ## Install manually ### Dependencies -The stack has been created on Debian Buster. It might run on other Debian versions or derivatives, but this is untested. -The main prerequesites are obviously Ansible and git. Depending on how you setup your inventory, you might need some other Python libraries (eg Boto3 for AWS). -You will also need a local user to install locally, by convention we'll name it "provision", but you can easily override that. +The stack has been created on Debian Linux. The 1.x branch is for Debian Buster (10) and the 2.x branch is for Debian Bullseye (11) and Bookworm (12). It might run on other Debian versions or derivatives, but this is untested. + +The main prerequesites are obviously Ansible and git. Depending on how you setup your inventory, you might need some other Python libraries (e.g. Boto3 for AWS). +You will also need a local user to install locally, by convention we'll name it `controller`, but you can override that. + ### Installation -1. Clone this repository (typically to the provision user `$HOME` directory) -2. Copy the install/example.vars.yml file to install/vars.yml -3. Amend the vars.yml file, and change the ce_provision.username to your "provision" user. -4. Run the install playbook: ```ansible-playbook install/self-update.yml --extra-vars="@install/vars.yml" ``` -Past this step, the vars.yml file can be safely deleted. +Download [the `install.sh` file](https://raw.githubusercontent.com/codeenigma/ce-provision/devel-2.x/install.sh) on to the target server and make it executable, then run it - for example: -## Install with ce-provision -If you already installed the stack, you can use it to provison other controllers machine. Obviously, you'll need at least one "manually installed" server to begin with. +```sh +curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/devel-2.x/install.sh +chmod +x ./install.sh +sudo ./install.sh -h # for usage information +# Default installation (ce-provision only) +sudo ./install.sh +# Installation with GitLab CE using a self-signed SSL certificate +sudo ./install.sh --gitlab https://gitlab.example.com +# Installation with GitLab CE using a LetsEncrypt SSL certificate (requires DNS to be set up in advance) +sudo ./install.sh --letsencrypt --gitlab https://gitlab.example.com +``` -## Install with Docker -@todo Docker image to come soon. +## Install with ce-provision +If you already installed the stack, you can use it to provison other controller machines by using the `_meta/controller` role. ## Configuration -Past the initial setup, you will want to manage your configuration (hosts, etc) independantly. -To do so, amend the default that have been cloned in the "config" subdirectory, and -- point the git remote to the new location in which you want to manage your configuration -- make sure the ce_provision.config_repository variable defaults to the same repository. +Past the initial setup, you will want to manage your configuration (hosts, etc.) independently. The script above will have installed `ce-provision` with our "example" config repository into the `config` subdirectory. You can amend the defaults there and: +* alter the git remote settings to a new location in which you want to manage your configuration +* update the `ce_provision.config_repository` variable accordingly so future builds use your config repo instead of the example one + +## Roadmap +Docker support is planned for the future. diff --git a/install/.gitignore b/install/.gitignore deleted file mode 100644 index 85b5732c6..000000000 --- a/install/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/vars.yml diff --git a/install/README.md b/install/README.md index 96bb46fc5..ad89a940b 100644 --- a/install/README.md +++ b/install/README.md @@ -1,29 +1,35 @@ # Install -You can install either: -- through [ce-provision](https://github.com/codeenigma/ce-provision) -- manually by running a local playbook -- with Docker (soon) +The simplest way to install is using the installation script provided in the root of this repository, `install.sh`. ## Install manually ### Dependencies -The stack has been created on Debian Buster. It might run on other Debian versions or derivatives, but this is untested. -The main prerequesites are obviously Ansible and git. Depending on how you setup your inventory, you might need some other Python libraries (eg Boto3 for AWS). -You will also need a local user to install locally, by convention we'll name it "provision", but you can easily override that. +The stack has been created on Debian Linux. The 1.x branch is for Debian Buster (10) and the 2.x branch is for Debian Bullseye (11) and Bookworm (12). It might run on other Debian versions or derivatives, but this is untested. + +The main prerequesites are obviously Ansible and git. Depending on how you setup your inventory, you might need some other Python libraries (e.g. Boto3 for AWS). +You will also need a local user to install locally, by convention we'll name it `controller`, but you can override that. + ### Installation -1. Clone this repository (typically to the provision user `$HOME` directory) -2. Copy the install/example.vars.yml file to install/vars.yml -3. Amend the vars.yml file, and change the ce_provision.username to your "provision" user. -4. Run the install playbook: ```ansible-playbook install/self-update.yml --extra-vars="@install/vars.yml" ``` -Past this step, the vars.yml file can be safely deleted. +Download [the `install.sh` file](https://raw.githubusercontent.com/codeenigma/ce-provision/devel-2.x/install.sh) on to the target server and make it executable, then run it - for example: -## Install with ce-provision -If you already installed the stack, you can use it to provison other controllers machine. Obviously, you'll need at least one "manually installed" server to begin with. +```sh +curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/devel-2.x/install.sh +chmod +x ./install.sh +sudo ./install.sh -h # for usage information +# Default installation (ce-provision only) +sudo ./install.sh +# Installation with GitLab CE using a self-signed SSL certificate +sudo ./install.sh --gitlab https://gitlab.example.com +# Installation with GitLab CE using a LetsEncrypt SSL certificate (requires DNS to be set up in advance) +sudo ./install.sh --letsencrypt --gitlab https://gitlab.example.com +``` -## Install with Docker -@todo Docker image to come soon. +## Install with ce-provision +If you already installed the stack, you can use it to provison other controller machines by using the `_meta/controller` role. ## Configuration -Past the initial setup, you will want to manage your configuration (hosts, etc) independantly. -To do so, amend the default that have been cloned in the "config" subdirectory, and -- point the git remote to the new location in which you want to manage your configuration -- make sure the ce_provision.config_repository variable defaults to the same repository. +Past the initial setup, you will want to manage your configuration (hosts, etc.) independently. The script above will have installed `ce-provision` with our "example" config repository into the `config` subdirectory. You can amend the defaults there and: +* alter the git remote settings to a new location in which you want to manage your configuration +* update the `ce_provision.config_repository` variable accordingly so future builds use your config repo instead of the example one + +## Roadmap +Docker support is planned for the future. diff --git a/install/example.vars.yml b/install/example.vars.yml deleted file mode 100644 index 817bef0d3..000000000 --- a/install/example.vars.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -ce_provision: - # The user you'll be running as (same as the user currently used for installing). - username: "provision" - # Path to the main scripts, only amend if you wanted to fork them. - own_repository: "https://github.com/codeenigma/ce-provision.git" - own_repository_branch: "1.x" - # Repo holding your "private" configuration, leave empty if you manage this by other means. - config_repository: "https://github.com/codeenigma/ce-dev-ce-provision-config.git" - config_repository_branch: "1.x" - # Where to clone the stack. - local_dir: "{{ playbook_dir | dirname }}" diff --git a/install/self-update.yml b/install/self-update.yml deleted file mode 100644 index 44297381c..000000000 --- a/install/self-update.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -- hosts: "localhost" - vars_files: - - vars.yml - tasks: - - name: Ensure provision scripts are presents. - git: - repo: "{{ ce_provision.own_repository | default('https://github.com/codeenigma/ce-provision.git') }}" - dest: "{{ ce_provision.local_dir }}" - version: "{{ ce_provision.own_repository_branch | default('master') }}" - update: true - accept_hostkey: true - become: true - become_user: "{{ ce_provision.username }}" - - - name: Checkout config directory. - git: - repo: "{{ ce_provision.config_repository }}" - accept_hostkey: true - dest: "{{ ce_provision.local_dir }}/config" - version: "{{ ce_provision.config_repository_branch | default('master') }}" - become: true - become_user: "{{ ce_provision.username }}" - when: ce_provision.config_repository is defined and ce_provision.config_repository - - - name: Check if we have a config directory. - stat: - path: "{{ ce_provision.local_dir }}/config" - register: ce_provision_config_repo - - - name: Register config repository. - set_fact: - ce_provision_has_config_repo: "{{ 'yes' if ce_provision_config_repo.stat.isdir is defined and ce_provision_config_repo.stat.isdir else 'no' }}" - - - name: Remove defaults folders. - file: - path: "{{ ce_provision.local_dir }}/{{ item }}" - state: absent - with_items: - - hosts - - ansible.cfg - when: ce_provision_has_config_repo - - - name: Symlink config folders to /etc/ansible. - file: - dest: "{{ ce_provision.local_dir }}/{{ item }}" - src: "{{ ce_provision.local_dir }}/config/{{ item }}" - state: link - with_items: - - hosts - - ansible.cfg - when: ce_provision_has_config_repo - - - name: Create data dir. - file: - path: "{{ ce_provision.local_dir }}/data" - state: directory From 8445562a572600b7dcce7f101e76a1fe17b3c784 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 11:06:44 +0200 Subject: [PATCH 143/331] Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. --- roles/_init/tasks/main.yml | 3 +- .../aws_ec2_autoscale_cluster/tasks/main.yml | 36 ------------------- 2 files changed, 2 insertions(+), 37 deletions(-) diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 485fdfa5f..2a7e3add7 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -3,7 +3,8 @@ ansible.builtin.debug: msg: "Using ce-provision {{ _init.ce_provision_version }}" -# See roles/aws/aws_ec2_autoscale_cluster for lock handling in ASGs. +# @TODO This cannot work for ASGs. +# We will need something central for lock files and it cannot be controller servers because they may be containers. - name: Check for a ce-deploy lock file. ansible.builtin.stat: path: "{{ _init.deploy_lock_file }}" diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index e6abb61fd..77b0e0a11 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -1,30 +1,4 @@ --- -# With ASGs the lock behaviour in _init will not work, we need to do it here. -- name: Check for a ce-deploy lock file. - ansible.builtin.stat: - path: "{{ _init.deploy_lock_file }}" - register: _ce_deploy_lock - connection: ssh - run_once: true - when: aws_ec2_autoscale_cluster.type == "ec2" - -- name: Abort if ce-deploy lock file exists. - when: - - _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists - block: - - name: Abort if ce-deploy lock file is found. - ansible.builtin.debug: - msg: "ce-deploy lock file discovered, a deployment is in progress! If this is not the case, login to the affected server and delete the file at {{ _init.deploy_lock_file }}." - - ansible.builtin.meta: end_play - -- name: Set a lock file on each ASG machine. - ansible.builtin.file: - path: "{{ _init.lock_file }}" - state: touch - mode: 0644 - connection: ssh - when: aws_ec2_autoscale_cluster.type == "ec2" - # @todo Do we still need that? Used by AMI and LC, # but probably could simply use the base name. - name: Define unique name for resources. @@ -782,13 +756,3 @@ when: - aws_ec2_autoscale_cluster.route_53.zone is defined - aws_ec2_autoscale_cluster.route_53.zone | length > 0 - -# We only need to remove the lock file if the machines will not be replaced. -- name: Remove the lock file on each ASG machine. - ansible.builtin.file: - path: "{{ _init.lock_file }}" - state: absent - connection: ssh - when: - - aws_ec2_autoscale_cluster.type == "ec2" - - not aws_ec2_autoscale_cluster.asg_refresh From 897fc3d4bbee5473d79509ebccda8aaa1c715295 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 11:40:09 +0200 Subject: [PATCH 144/331] Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. --- install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 1cdcd6a17..5586a066b 100755 --- a/install.sh +++ b/install.sh @@ -134,10 +134,11 @@ echo "-------------------------------------------------" echo "Install Ansible and dependencies." echo "-------------------------------------------------" su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ansible" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip3 install ansible netaddr" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/python3 -m pip install --upgrade pip" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip install ansible netaddr python-debian" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-galaxy collection install ansible.posix --force" if [ "$AWS_SUPPORT" = "true" ]; then - su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip3 install boto3" + su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip install boto3" fi echo "-------------------------------------------------" From 939d1e3bf8f560304452360d210b225193f1f261 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 14:33:29 +0200 Subject: [PATCH 145/331] Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. --- docs/roles/_init.md | 4 +- docs/roles/debian/ansible.md | 4 +- docs/roles/debian/ce_deploy.md | 13 ++--- docs/roles/debian/ce_provision.md | 5 +- docs/roles/debian/duplicity.md | 11 +++-- docs/roles/debian/python_boto.md | 5 +- docs/roles/debian/python_pip_packages.md | 9 ++-- docs/roles/debian/ssl.md | 10 +++- install.sh | 16 +++---- roles/_init/README.md | 4 +- roles/_init/defaults/main.yml | 4 +- roles/_init/tasks/main.yml | 2 +- roles/debian/ansible/README.md | 4 +- roles/debian/ansible/defaults/main.yml | 4 +- roles/debian/ansible/tasks/main.yml | 19 ++++++++ roles/debian/ce_deploy/README.md | 13 ++--- roles/debian/ce_deploy/defaults/main.yml | 13 ++--- roles/debian/ce_deploy/tasks/main.yml | 24 ++++++++-- roles/debian/ce_provision/README.md | 5 +- roles/debian/ce_provision/defaults/main.yml | 5 +- roles/debian/duplicity/README.md | 11 +++-- roles/debian/duplicity/defaults/main.yml | 11 +++-- roles/debian/duplicity/tasks/main.yml | 29 +++++++++-- roles/debian/python_boto/README.md | 5 +- roles/debian/python_boto/defaults/main.yml | 5 +- roles/debian/python_pip_packages/README.md | 9 ++-- .../python_pip_packages/defaults/main.yml | 10 ++-- roles/debian/ssl/README.md | 10 +++- roles/debian/ssl/defaults/main.yml | 10 +++- roles/debian/ssl/tasks/letsencrypt.yml | 48 +++++++++++++++++-- roles/debian/ssl/templates/le_cron.sh.j2 | 2 +- 31 files changed, 226 insertions(+), 98 deletions(-) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 2770a4ada..27d3629e3 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -10,10 +10,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ```yaml --- _ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" -_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" -_ce_ansible_timer_name: upgrade_ce_provision_ansible +_ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all diff --git a/docs/roles/debian/ansible.md b/docs/roles/debian/ansible.md index e86936b93..f9992379d 100644 --- a/docs/roles/debian/ansible.md +++ b/docs/roles/debian/ansible.md @@ -11,10 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv + #venv_install_username: ansible # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 5b670c7fd..856e548eb 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -11,11 +11,12 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_deploy.username }}" - upgrade_timer_name: upgrade_ce_deploy_ansible + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_deploy.username }}" + #upgrade_timer_name: upgrade_ce_deploy_ansible + # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -34,7 +35,7 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index b6d2e52af..8611d76b4 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -10,11 +10,12 @@ Installs Code Enigma's infrastructure management stack on a server. Note, the `_ --- # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Optional venv overrides - if commented out, values taken from _init defaults. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ _ce_provision_username }}/ansible" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible + # Other ce-provision settings. aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -46,7 +47,7 @@ ce_provision: galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/duplicity.md b/docs/roles/debian/duplicity.md index c9140007e..c23c86a82 100644 --- a/docs/roles/debian/duplicity.md +++ b/docs/roles/debian/duplicity.md @@ -9,10 +9,11 @@ Role to install and configure [the Duplicity backup engine](https://duplicity.us ```yaml --- duplicity: - # Location of Duplicity installation and components. - venv_path: "/home/{{ user_provision.username }}/duplicity" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ user_provision.username }}" + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ user_provision.username }}/duplicity" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" @@ -40,6 +41,8 @@ duplicity: # systemd timer settings create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + create_upgrade_timer: true + upgrade_on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/python_boto.md b/docs/roles/debian/python_boto.md index 0bc0b8d68..04cf9c85e 100644 --- a/docs/roles/debian/python_boto.md +++ b/docs/roles/debian/python_boto.md @@ -8,11 +8,8 @@ Role to install the `boto3` library for Python integration with AWS services. ## Default variables ```yaml python_boto: + # See the invoking role for venv settings _venv_path, _venv_command and _venv_install_username. boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv ``` diff --git a/docs/roles/debian/python_pip_packages.md b/docs/roles/debian/python_pip_packages.md index 458157e0c..11c6512a0 100644 --- a/docs/roles/debian/python_pip_packages.md +++ b/docs/roles/debian/python_pip_packages.md @@ -9,14 +9,15 @@ Role to install a list of Python packages in a specified Python virtual environm ```yaml --- python_pip_packages: + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv + packages: [] # - name: pip # state: latest - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv ``` diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md index 102e90cc3..ecf91fc72 100644 --- a/docs/roles/debian/ssl.md +++ b/docs/roles/debian/ssl.md @@ -78,11 +78,11 @@ ssl: # For "letsencrypt" handling. email: admin@example.com - certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert + certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal autorenew: false # set to true to create a systemd timer to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! @@ -97,6 +97,12 @@ ssl: # List of services to reload: reload: [] reload_command: restart # use 'reload' if you do not want to restart, but in most cases a full restart is required to load a new cert. + # Location of Certbot installation and components for LetsEncrypt. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #letsencrypt: + # venv_path: "/home/{{ user_provision.username }}/certbot" + # venv_command: /usr/bin/python3 -m venv + # venv_install_username: "{{ user_provision.username }}" ############ Facts # ssl_facts diff --git a/install.sh b/install.sh index 5586a066b..508f53239 100755 --- a/install.sh +++ b/install.sh @@ -134,11 +134,11 @@ echo "-------------------------------------------------" echo "Install Ansible and dependencies." echo "-------------------------------------------------" su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ansible" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/python3 -m pip install --upgrade pip" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip install ansible netaddr python-debian" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-galaxy collection install ansible.posix --force" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy collection install ansible.posix --force" if [ "$AWS_SUPPORT" = "true" ]; then - su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/pip install boto3" + su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install boto3" fi echo "-------------------------------------------------" @@ -172,7 +172,7 @@ _domain_name: ${SERVER_HOSTNAME} _ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data _ce_provision_username: ${CONTROLLER_USER} ce_provision: - venv_path: /home/${CONTROLLER_USER}/ansible + venv_path: /home/${CONTROLLER_USER}/ce-python venv_command: /usr/bin/python3 -m venv venv_install_username: ${CONTROLLER_USER} upgrade_timer_name: upgrade_ce_provision_ansible @@ -198,7 +198,7 @@ ce_provision: galaxy_custom_requirements_file: "" upgrade_galaxy: enabled: true - command: "/home/${CONTROLLER_USER}/ansible/bin/ansible-galaxy collection install --force" + command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force" on_calendar: "Mon *-*-* 04:00:00" firewall_config: purge: true @@ -219,7 +219,7 @@ firewall_config: - "80" - "443" EOL -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" echo "-------------------------------------------------" # Install GitLab @@ -330,7 +330,7 @@ EOT EOT echo "-------------------------------------------------" fi - su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ansible/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" echo "-------------------------------------------------" else echo "GitLab not requested. Skipping." diff --git a/roles/_init/README.md b/roles/_init/README.md index 2770a4ada..27d3629e3 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -10,10 +10,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ```yaml --- _ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" -_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" -_ce_ansible_timer_name: upgrade_ce_provision_ansible +_ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index d267a49e7..8c2646bd8 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -1,9 +1,9 @@ --- _ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" -_venv_path: "/home/{{ _ce_provision_username }}/ansible" +_venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" -_ce_ansible_timer_name: upgrade_ce_provision_ansible +_ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 2a7e3add7..4abe95653 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -137,7 +137,7 @@ install_username: "{{ _venv_install_username }}" upgrade: enabled: true - command: "/home/{{ _venv_install_username }}/ansible/bin/python3 -m pip install --upgrade ansible" + command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" on_calendar: "*-*-* 01:30:00" timer_name: "{{ _ce_ansible_timer_name }}" linters: diff --git a/roles/debian/ansible/README.md b/roles/debian/ansible/README.md index e86936b93..f9992379d 100644 --- a/roles/debian/ansible/README.md +++ b/roles/debian/ansible/README.md @@ -11,10 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip` ```yaml --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv + #venv_install_username: ansible # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml index b98ba3a49..e7256e5f8 100644 --- a/roles/debian/ansible/defaults/main.yml +++ b/roles/debian/ansible/defaults/main.yml @@ -1,9 +1,9 @@ --- ce_ansible: - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv + #venv_install_username: ansible # user to become when creating venv upgrade: enabled: true # create systemd timer to auto-upgrade Ansible command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index e94c9eaaf..39ccb984b 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -17,6 +17,25 @@ - pip3 failed_when: false # don't stop the build if there's no system pip +# Optionally set Python venv variables. +- name: Override Python venv path if provided. + ansible.builtin.set_fact: + _venv_path: "{{ ce_ansible.venv_path }}" + when: + - ce_ansible.venv_path is defined + +- name: Override Python venv command if provided. + ansible.builtin.set_fact: + _venv_command: "{{ ce_ansible.venv_command }}" + when: + - ce_ansible.venv_command is defined + +- name: Override Python user if provided. + ansible.builtin.set_fact: + _venv_install_username: "{{ ce_ansible.venv_install_username }}" + when: + - ce_ansible.venv_install_username is defined + - name: Set up Python packages. ansible.builtin.include_role: name: debian/python_common diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 5b670c7fd..856e548eb 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -11,11 +11,12 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_deploy.username }}" - upgrade_timer_name: upgrade_ce_deploy_ansible + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_deploy.username }}" + #upgrade_timer_name: upgrade_ce_deploy_ansible + # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -34,7 +35,7 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 878d94b07..d43bde3e6 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -3,11 +3,12 @@ _ce_deploy: username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: - # Location of Ansible installation and components. - venv_path: "/home/{{ _ce_deploy.username }}/ansible" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ _ce_deploy.username }}" - upgrade_timer_name: upgrade_ce_deploy_ansible + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ _ce_deploy.username }}" + #upgrade_timer_name: upgrade_ce_deploy_ansible + # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -26,5 +27,5 @@ ce_deploy: galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_deploy.username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 9852e8744..d5bbb3761 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -126,14 +126,32 @@ owner: "{{ ce_deploy.username }}" recurse: true -# Install Python applications. -- name: Set up Python venv variables. +# Optionally set Python venv variables. +- name: Override Python venv path if provided. ansible.builtin.set_fact: _venv_path: "{{ ce_deploy.venv_path }}" + when: + - ce_deploy.venv_path is defined + +- name: Override Python venv command if provided. + ansible.builtin.set_fact: _venv_command: "{{ ce_deploy.venv_command }}" - _venv_install_username: "{{ ce_deploy.install_username }}" + when: + - ce_deploy.venv_command is defined + +- name: Override Python user if provided. + ansible.builtin.set_fact: + _venv_install_username: "{{ ce_deploy.venv_install_username }}" + when: + - ce_deploy.venv_install_username is defined + +- name: Override systemd timer name for Ansible if provided. + ansible.builtin.set_fact: _ce_ansible_timer_name: "{{ ce_deploy.upgrade_timer_name }}" + when: + - ce_deploy.upgrade_timer_name is defined +# Install Python applications. - name: Install Ansible. ansible.builtin.include_role: name: debian/ansible diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index b6d2e52af..8611d76b4 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -10,11 +10,12 @@ Installs Code Enigma's infrastructure management stack on a server. Note, the `_ --- # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Optional venv overrides - if commented out, values taken from _init defaults. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ _ce_provision_username }}/ansible" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible + # Other ce-provision settings. aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -46,7 +47,7 @@ ce_provision: galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 7c2add082..62c92b9e9 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -1,11 +1,12 @@ --- # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: - # Optional venv overrides - if commented out, values taken from _init defaults. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. #venv_path: "/home/{{ _ce_provision_username }}/ansible" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible + # Other ce-provision settings. aws_support: true # installs boto3 new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user @@ -37,5 +38,5 @@ ce_provision: galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "/home/{{ _ce_provision_username }}/ansible/bin/ansible-galaxy collection install --force" # must match venv_path + command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/duplicity/README.md b/roles/debian/duplicity/README.md index c9140007e..c23c86a82 100644 --- a/roles/debian/duplicity/README.md +++ b/roles/debian/duplicity/README.md @@ -9,10 +9,11 @@ Role to install and configure [the Duplicity backup engine](https://duplicity.us ```yaml --- duplicity: - # Location of Duplicity installation and components. - venv_path: "/home/{{ user_provision.username }}/duplicity" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ user_provision.username }}" + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ user_provision.username }}/duplicity" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" @@ -40,6 +41,8 @@ duplicity: # systemd timer settings create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + create_upgrade_timer: true + upgrade_on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml index 33cecfec2..bbdf1daf4 100644 --- a/roles/debian/duplicity/defaults/main.yml +++ b/roles/debian/duplicity/defaults/main.yml @@ -1,9 +1,10 @@ --- duplicity: - # Location of Duplicity installation and components. - venv_path: "/home/{{ user_provision.username }}/duplicity" - venv_command: /usr/bin/python3 -m venv - install_username: "{{ user_provision.username }}" + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: "/home/{{ user_provision.username }}/duplicity" + #venv_command: /usr/bin/python3 -m venv + #venv_install_username: "{{ user_provision.username }}" + # Duplicity configuration backend: s3 # currently also support b2 for Backblaze access_key_id: "somekey" @@ -31,3 +32,5 @@ duplicity: # systemd timer settings create_timer: true # sometimes you might want to trigger duplicity some other way than a systemd timer on_calendar: "*-*-* 03:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + create_upgrade_timer: true + upgrade_on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index aeda4def7..2cab14487 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -16,13 +16,26 @@ - pip3 failed_when: false # don't stop the build if there's no system pip -# Install Python applications. -- name: Set up Python venv variables. +# Optionally set Python venv variables. +- name: Override Python venv path if provided. ansible.builtin.set_fact: _venv_path: "{{ duplicity.venv_path }}" + when: + - duplicity.venv_path is defined + +- name: Override Python venv command if provided. + ansible.builtin.set_fact: _venv_command: "{{ duplicity.venv_command }}" - _venv_install_username: "{{ duplicity.install_username }}" + when: + - duplicity.venv_command is defined + +- name: Override Python user if provided. + ansible.builtin.set_fact: + _venv_install_username: "{{ duplicity.venv_install_username }}" + when: + - duplicity.venv_install_username is defined +# Install Python applications. - name: Manage required pip packages. ansible.builtin.include_role: name: debian/python_pip_packages @@ -90,6 +103,16 @@ loop_control: loop_var: dir +- name: Create systemd timer to upgrade Duplicity. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + upgrade_duplicity: + timer_command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade duplicity" + timer_OnCalendar: "{{ duplicity.upgrade_on_calendar }}" + when: duplicity.create_upgrade_timer + # @TODO - cannot currently send failure notifications - see https://github.com/codeenigma/ce-provision/issues/1215 - name: Create systemd timer for Duplicity backup. ansible.builtin.include_role: diff --git a/roles/debian/python_boto/README.md b/roles/debian/python_boto/README.md index 0bc0b8d68..04cf9c85e 100644 --- a/roles/debian/python_boto/README.md +++ b/roles/debian/python_boto/README.md @@ -8,11 +8,8 @@ Role to install the `boto3` library for Python integration with AWS services. ## Default variables ```yaml python_boto: + # See the invoking role for venv settings _venv_path, _venv_command and _venv_install_username. boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv ``` diff --git a/roles/debian/python_boto/defaults/main.yml b/roles/debian/python_boto/defaults/main.yml index efcd654ea..90f4133f9 100644 --- a/roles/debian/python_boto/defaults/main.yml +++ b/roles/debian/python_boto/defaults/main.yml @@ -1,6 +1,3 @@ python_boto: + # See the invoking role for venv settings _venv_path, _venv_command and _venv_install_username. boto3_version: "" # version string, e.g. "1.22.13" - empty string means latest - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv diff --git a/roles/debian/python_pip_packages/README.md b/roles/debian/python_pip_packages/README.md index 458157e0c..11c6512a0 100644 --- a/roles/debian/python_pip_packages/README.md +++ b/roles/debian/python_pip_packages/README.md @@ -9,14 +9,15 @@ Role to install a list of Python packages in a specified Python virtual environm ```yaml --- python_pip_packages: + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv + packages: [] # - name: pip # state: latest - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv ``` diff --git a/roles/debian/python_pip_packages/defaults/main.yml b/roles/debian/python_pip_packages/defaults/main.yml index d02af348e..67d6d0120 100644 --- a/roles/debian/python_pip_packages/defaults/main.yml +++ b/roles/debian/python_pip_packages/defaults/main.yml @@ -1,10 +1,10 @@ --- python_pip_packages: + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #venv_path: /path/to/venv + #venv_command: /usr/bin/python3.11 -m venv + #install_username: deploy # user to become when creating venv + packages: [] # - name: pip # state: latest - - # These are usually set within another role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: /path/to/venv - #venv_command: /usr/bin/python3.11 -m venv - #install_username: deploy # user to become when creating venv \ No newline at end of file diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index 102e90cc3..ecf91fc72 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -78,11 +78,11 @@ ssl: # For "letsencrypt" handling. email: admin@example.com - certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert + certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal autorenew: false # set to true to create a systemd timer to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! @@ -97,6 +97,12 @@ ssl: # List of services to reload: reload: [] reload_command: restart # use 'reload' if you do not want to restart, but in most cases a full restart is required to load a new cert. + # Location of Certbot installation and components for LetsEncrypt. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #letsencrypt: + # venv_path: "/home/{{ user_provision.username }}/certbot" + # venv_command: /usr/bin/python3 -m venv + # venv_install_username: "{{ user_provision.username }}" ############ Facts # ssl_facts diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml index 67b8952fc..2c862cda9 100644 --- a/roles/debian/ssl/defaults/main.yml +++ b/roles/debian/ssl/defaults/main.yml @@ -29,11 +29,11 @@ ssl: # For "letsencrypt" handling. email: admin@example.com - certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert + certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" # root of the command to register a new cert http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge # For "letsencrypt" auto renewal autorenew: false # set to true to create a systemd timer to renew LE certs - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" # root of the command used in the systemd timer + certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events #on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! @@ -48,6 +48,12 @@ ssl: # List of services to reload: reload: [] reload_command: restart # use 'reload' if you do not want to restart, but in most cases a full restart is required to load a new cert. + # Location of Certbot installation and components for LetsEncrypt. + # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. + #letsencrypt: + # venv_path: "/home/{{ user_provision.username }}/certbot" + # venv_command: /usr/bin/python3 -m venv + # venv_install_username: "{{ user_provision.username }}" ############ Facts # ssl_facts diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 96d38a867..90e469949 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -1,8 +1,50 @@ --- -- name: Ensure Certbot is installed. +- name: Ensure system Cerbot is not installed. ansible.builtin.apt: pkg: certbot - state: present + state: absent + +- name: Ensure Certbot is not installed globally with pip or pip3 on older versions of Debian. + ansible.builtin.pip: + name: + - certbot + state: absent + executable: "{{ item }}" + when: ansible_distribution_major_version | int < 12 + with_items: + - pip + - pip3 + failed_when: false # don't stop the build if there's no system pip + +# Optionally set Python venv variables. +- name: Override Python venv path if provided. + ansible.builtin.set_fact: + _venv_path: "{{ ssl.letsencrypt.venv_path }}" + when: + - ssl.letsencrypt.venv_path is defined + +- name: Override Python venv command if provided. + ansible.builtin.set_fact: + _venv_command: "{{ ssl.letsencrypt.venv_command }}" + when: + - ssl.letsencrypt.venv_command is defined + +- name: Override Python user if provided. + ansible.builtin.set_fact: + _venv_install_username: "{{ ssl.letsencrypt.venv_install_username }}" + when: + - ssl.letsencrypt.venv_install_username is defined + +# Install Python applications. +- name: Manage required pip packages. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: pip + state: latest + - name: certbot - name: Set LetsEncrypt variables. ansible.builtin.set_fact: @@ -53,7 +95,7 @@ when: not _letsencrypt_cert.stat.exists - name: Register certificate bypassing web server if needed. - ansible.builtin.command: "{{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}" + ansible.builtin.command: "{{ _venv_path }}/bin/certbot {{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}" when: - not _letsencrypt_cert.stat.exists diff --git a/roles/debian/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2 index db30e98ff..71ba6355a 100644 --- a/roles/debian/ssl/templates/le_cron.sh.j2 +++ b/roles/debian/ssl/templates/le_cron.sh.j2 @@ -30,7 +30,7 @@ for site in ${SITES[@]}; do done # run certbot and capture the output -certbot_output=$( {{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING 2>&1 ) +certbot_output=$( {{ _venv_path }}/bin/certbot {{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING 2>&1 ) # Capture exit code of Certbot command certbot_exit_code=$? From 9428d42599aa1c3a62c28f84a2f1fb6c8ef236e6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 29 May 2024 16:40:26 +0200 Subject: [PATCH 146/331] Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. --- docs/install.md | 4 ++-- install.sh | 26 ++++++++++++++++++++------ install/README.md | 4 ++-- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/docs/install.md b/docs/install.md index ad89a940b..0d0dc0f99 100644 --- a/docs/install.md +++ b/docs/install.md @@ -18,9 +18,9 @@ sudo ./install.sh -h # for usage information # Default installation (ce-provision only) sudo ./install.sh # Installation with GitLab CE using a self-signed SSL certificate -sudo ./install.sh --gitlab https://gitlab.example.com +sudo ./install.sh --gitlab gitlab.example.com # Installation with GitLab CE using a LetsEncrypt SSL certificate (requires DNS to be set up in advance) -sudo ./install.sh --letsencrypt --gitlab https://gitlab.example.com +sudo ./install.sh --letsencrypt --gitlab gitlab.example.com ``` ## Install with ce-provision diff --git a/install.sh b/install.sh index 508f53239..c47d96562 100755 --- a/install.sh +++ b/install.sh @@ -15,7 +15,7 @@ usage(){ echo '--user: Ansible controller user (default: controller)' echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' - echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab URL to install)' + echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' echo '--aws: enable AWS support' echo '' @@ -133,7 +133,7 @@ echo "-------------------------------------------------" # Install Ansible in a Python virtual environment. echo "Install Ansible and dependencies." echo "-------------------------------------------------" -su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ansible" +su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ce-python" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy collection install ansible.posix --force" @@ -151,7 +151,7 @@ else echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." echo "-------------------------------------------------" fi -# Create playbook. +# Create playbook for ce-provision. /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL --- - hosts: "localhost" @@ -162,9 +162,6 @@ fi - name: Install ce-provision. ansible.builtin.import_role: name: debian/ce_provision - - name: Install iptables firewall. - ansible.builtin.import_role: - name: debian/firewall_config EOL # Create vars file. /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL @@ -220,6 +217,23 @@ firewall_config: - "443" EOL su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" +rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" +# Create playbook for firewall. +echo "-------------------------------------------------" +echo "Install firewall." +echo "-------------------------------------------------" +/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL +--- +- hosts: "localhost" + become: true + vars_files: + - vars.yml + tasks: + - name: Install iptables firewall. + ansible.builtin.import_role: + name: debian/firewall_config +EOL +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" echo "-------------------------------------------------" # Install GitLab diff --git a/install/README.md b/install/README.md index ad89a940b..0d0dc0f99 100644 --- a/install/README.md +++ b/install/README.md @@ -18,9 +18,9 @@ sudo ./install.sh -h # for usage information # Default installation (ce-provision only) sudo ./install.sh # Installation with GitLab CE using a self-signed SSL certificate -sudo ./install.sh --gitlab https://gitlab.example.com +sudo ./install.sh --gitlab gitlab.example.com # Installation with GitLab CE using a LetsEncrypt SSL certificate (requires DNS to be set up in advance) -sudo ./install.sh --letsencrypt --gitlab https://gitlab.example.com +sudo ./install.sh --letsencrypt --gitlab gitlab.example.com ``` ## Install with ce-provision From 548a6488660de4992459e97c0c319f6099c63ed8 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 31 May 2024 10:52:20 +0200 Subject: [PATCH 147/331] Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. --- docs/roles/debian/apache.md | 4 ++-- docs/roles/debian/ldap_server.md | 4 ++-- docs/roles/debian/mailpit.md | 4 ++-- docs/roles/debian/nginx.md | 4 ++-- docs/roles/debian/phpmyadmin.md | 4 ++-- docs/roles/debian/ssl.md | 13 ++++++++++--- roles/debian/apache/README.md | 4 ++-- roles/debian/apache/defaults/main.yml | 4 ++-- roles/debian/ldap_server/README.md | 4 ++-- roles/debian/ldap_server/defaults/main.yml | 4 ++-- roles/debian/mailpit/README.md | 4 ++-- roles/debian/mailpit/defaults/main.yml | 4 ++-- roles/debian/nginx/README.md | 4 ++-- roles/debian/nginx/defaults/main.yml | 4 ++-- roles/debian/phpmyadmin/README.md | 4 ++-- roles/debian/ssl/README.md | 13 ++++++++++--- roles/debian/ssl/tasks/letsencrypt.yml | 12 +++++++----- 17 files changed, 55 insertions(+), 39 deletions(-) diff --git a/docs/roles/debian/apache.md b/docs/roles/debian/apache.md index 3902bfdab..d1da36405 100644 --- a/docs/roles/debian/apache.md +++ b/docs/roles/debian/apache.md @@ -62,8 +62,8 @@ apache: # services: # - apache2 # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - apache2 diff --git a/docs/roles/debian/ldap_server.md b/docs/roles/debian/ldap_server.md index 62421b9be..d3a234d4e 100644 --- a/docs/roles/debian/ldap_server.md +++ b/docs/roles/debian/ldap_server.md @@ -105,8 +105,8 @@ ldap_server: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - slapd diff --git a/docs/roles/debian/mailpit.md b/docs/roles/debian/mailpit.md index 5431d0cf2..2cd4b5157 100644 --- a/docs/roles/debian/mailpit.md +++ b/docs/roles/debian/mailpit.md @@ -51,8 +51,8 @@ mailpit: #services: # - nginx #web_server: standalone - #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "certonly --agree-tos --force-renew" #reload_command: restart #reload: # - mailpit diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 3b63015da..2f7eade5d 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -91,8 +91,8 @@ nginx: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - nginx diff --git a/docs/roles/debian/phpmyadmin.md b/docs/roles/debian/phpmyadmin.md index 7eeb9bcca..54f24414d 100644 --- a/docs/roles/debian/phpmyadmin.md +++ b/docs/roles/debian/phpmyadmin.md @@ -21,8 +21,8 @@ nginx: email: sysadm@codeenigma.com services: [] web_server: standalone - certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + certbot_renew_command: "certonly --agree-tos --force-renew" reload_command: reload reload: - nginx diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md index ecf91fc72..d9743ca77 100644 --- a/docs/roles/debian/ssl.md +++ b/docs/roles/debian/ssl.md @@ -36,11 +36,18 @@ nginx: autorenew: true email: administrator@example.com services: [] - certbot_register_command: "/usr/bin/certbot certonly --standalone --agree-tos --preferred-challenges http -n" - certbot_renew_command: "/usr/bin/certbot certonly --standalone --agree-tos --force-renew" + web_server: standalone + certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n" + certbot_renew_command: "certonly --standalone --agree-tos --force-renew" + reload_command: reload + reload: + - nginx + renewal_minute: "0" # minute to run renewal cron job + renewal_hour: "0" # hour to run renewal cron job + renewal_weekday: "0" # day of week to run renewal ``` -You need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. +As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. If you are using Nginx or Apache you can set the `ssl.web_server` for each domain to either `nginx` or `apache` to have the necessary plugin installed for `certbot` to do automatic handling of LetsEncrypt requests. Be aware, it does this by temporarily altering your web server config and reloading - use this option at your own risk. This is *not* intended to be used with but *instead of* `ssl.http_01_port`. diff --git a/roles/debian/apache/README.md b/roles/debian/apache/README.md index 3902bfdab..d1da36405 100644 --- a/roles/debian/apache/README.md +++ b/roles/debian/apache/README.md @@ -62,8 +62,8 @@ apache: # services: # - apache2 # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - apache2 diff --git a/roles/debian/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml index b6705c0e4..c76ddc0b0 100644 --- a/roles/debian/apache/defaults/main.yml +++ b/roles/debian/apache/defaults/main.yml @@ -52,8 +52,8 @@ apache: # services: # - apache2 # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - apache2 diff --git a/roles/debian/ldap_server/README.md b/roles/debian/ldap_server/README.md index 62421b9be..d3a234d4e 100644 --- a/roles/debian/ldap_server/README.md +++ b/roles/debian/ldap_server/README.md @@ -105,8 +105,8 @@ ldap_server: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - slapd diff --git a/roles/debian/ldap_server/defaults/main.yml b/roles/debian/ldap_server/defaults/main.yml index 6924e7741..93956ffc5 100644 --- a/roles/debian/ldap_server/defaults/main.yml +++ b/roles/debian/ldap_server/defaults/main.yml @@ -39,8 +39,8 @@ ldap_server: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - slapd diff --git a/roles/debian/mailpit/README.md b/roles/debian/mailpit/README.md index 5431d0cf2..2cd4b5157 100644 --- a/roles/debian/mailpit/README.md +++ b/roles/debian/mailpit/README.md @@ -51,8 +51,8 @@ mailpit: #services: # - nginx #web_server: standalone - #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "certonly --agree-tos --force-renew" #reload_command: restart #reload: # - mailpit diff --git a/roles/debian/mailpit/defaults/main.yml b/roles/debian/mailpit/defaults/main.yml index 5a0666593..a883589f8 100644 --- a/roles/debian/mailpit/defaults/main.yml +++ b/roles/debian/mailpit/defaults/main.yml @@ -34,8 +34,8 @@ mailpit: #services: # - nginx #web_server: standalone - #certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - #certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + #certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + #certbot_renew_command: "certonly --agree-tos --force-renew" #reload_command: restart #reload: # - mailpit diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 3b63015da..2f7eade5d 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -91,8 +91,8 @@ nginx: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - nginx diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 5f6e7c7fe..5f66e981f 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -79,8 +79,8 @@ nginx: # email: sysadm@codeenigma.com # services: [] # web_server: standalone - # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + # certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + # certbot_renew_command: "certonly --agree-tos --force-renew" # reload_command: restart # reload: # - nginx diff --git a/roles/debian/phpmyadmin/README.md b/roles/debian/phpmyadmin/README.md index 7eeb9bcca..54f24414d 100644 --- a/roles/debian/phpmyadmin/README.md +++ b/roles/debian/phpmyadmin/README.md @@ -21,8 +21,8 @@ nginx: email: sysadm@codeenigma.com services: [] web_server: standalone - certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n" - certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew" + certbot_register_command: "certonly --agree-tos --preferred-challenges http -n" + certbot_renew_command: "certonly --agree-tos --force-renew" reload_command: reload reload: - nginx diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index ecf91fc72..d9743ca77 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -36,11 +36,18 @@ nginx: autorenew: true email: administrator@example.com services: [] - certbot_register_command: "/usr/bin/certbot certonly --standalone --agree-tos --preferred-challenges http -n" - certbot_renew_command: "/usr/bin/certbot certonly --standalone --agree-tos --force-renew" + web_server: standalone + certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n" + certbot_renew_command: "certonly --standalone --agree-tos --force-renew" + reload_command: reload + reload: + - nginx + renewal_minute: "0" # minute to run renewal cron job + renewal_hour: "0" # hour to run renewal cron job + renewal_weekday: "0" # day of week to run renewal ``` -You need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. +As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. If you are using Nginx or Apache you can set the `ssl.web_server` for each domain to either `nginx` or `apache` to have the necessary plugin installed for `certbot` to do automatic handling of LetsEncrypt requests. Be aware, it does this by temporarily altering your web server config and reloading - use this option at your own risk. This is *not* intended to be used with but *instead of* `ssl.http_01_port`. diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 90e469949..8d3f26634 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -53,11 +53,13 @@ # @todo - add support for Route 53 DNS plugin - name: "Ensure certbot-{{ _ssl_web_server }} plugin is installed." - ansible.builtin.apt: - pkg: "python3-certbot-{{ _ssl_web_server }}" - state: present - when: - - _ssl_web_server != 'standalone' + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: "certbot-{{ _ssl_web_server }}" + when: _ssl_web_server != "standalone" # there is no certbot-standalone package in PyPi - name: Define SSL base path. ansible.builtin.set_fact: From f70996e33e2c0d3fbd0540fe80120437a83c24c8 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 31 May 2024 11:04:53 +0200 Subject: [PATCH 148/331] Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. --- docs/roles/debian/phpmyadmin.md | 4 +--- docs/roles/debian/ssl.md | 6 ++---- roles/debian/phpmyadmin/README.md | 4 +--- roles/debian/ssl/README.md | 6 ++---- roles/debian/ssl/defaults/main.yml | 2 +- 5 files changed, 7 insertions(+), 15 deletions(-) diff --git a/docs/roles/debian/phpmyadmin.md b/docs/roles/debian/phpmyadmin.md index 54f24414d..4f83dd3ce 100644 --- a/docs/roles/debian/phpmyadmin.md +++ b/docs/roles/debian/phpmyadmin.md @@ -26,9 +26,7 @@ nginx: reload_command: reload reload: - nginx - renewal_minute: "0" # minute to run renewal cron job - renewal_hour: "0" # hour to run renewal cron job - renewal_weekday: "0" # day of week to run renewal + on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: false servers: diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md index d9743ca77..2ead29797 100644 --- a/docs/roles/debian/ssl.md +++ b/docs/roles/debian/ssl.md @@ -42,9 +42,7 @@ nginx: reload_command: reload reload: - nginx - renewal_minute: "0" # minute to run renewal cron job - renewal_hour: "0" # hour to run renewal cron job - renewal_weekday: "0" # day of week to run renewal + on_calendar: "Mon *-*-* 04:00:00" ``` As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. @@ -91,7 +89,7 @@ ssl: autorenew: false # set to true to create a systemd timer to renew LE certs certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - #on_calendar: "Mon *-*-* 04:00:00" + on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. diff --git a/roles/debian/phpmyadmin/README.md b/roles/debian/phpmyadmin/README.md index 54f24414d..4f83dd3ce 100644 --- a/roles/debian/phpmyadmin/README.md +++ b/roles/debian/phpmyadmin/README.md @@ -26,9 +26,7 @@ nginx: reload_command: reload reload: - nginx - renewal_minute: "0" # minute to run renewal cron job - renewal_hour: "0" # hour to run renewal cron job - renewal_weekday: "0" # day of week to run renewal + on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: false servers: diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index d9743ca77..2ead29797 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -42,9 +42,7 @@ nginx: reload_command: reload reload: - nginx - renewal_minute: "0" # minute to run renewal cron job - renewal_hour: "0" # hour to run renewal cron job - renewal_weekday: "0" # day of week to run renewal + on_calendar: "Mon *-*-* 04:00:00" ``` As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. @@ -91,7 +89,7 @@ ssl: autorenew: false # set to true to create a systemd timer to renew LE certs certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - #on_calendar: "Mon *-*-* 04:00:00" + on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml index 2c862cda9..f1191de89 100644 --- a/roles/debian/ssl/defaults/main.yml +++ b/roles/debian/ssl/defaults/main.yml @@ -35,7 +35,7 @@ ssl: autorenew: false # set to true to create a systemd timer to renew LE certs certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events - #on_calendar: "Mon *-*-* 04:00:00" + on_calendar: "Mon *-*-* 04:00:00" web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! # For "letsencrypt" handling, a list of service to stop while creating the certificate. From ef3b85ce7d8af71c1e6bf477c203fe81bfe86446 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 31 May 2024 12:14:02 +0200 Subject: [PATCH 149/331] Fixing-ACM-SAN-behaviour (#1739) --- roles/aws/aws_acm/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_acm/tasks/main.yml b/roles/aws/aws_acm/tasks/main.yml index 30e49ea9d..2464c5550 100644 --- a/roles/aws/aws_acm/tasks/main.yml +++ b/roles/aws/aws_acm/tasks/main.yml @@ -23,6 +23,7 @@ aws_acm_certificate_arn: "" _aws_acm_domain_in_cert_list: false _aws_acm_extra_domains_in_cert_list: true + aws_acm_certificate: {} - name: Iterate through the certificate list checking for domain. ansible.builtin.set_fact: From a732b1cc55d3db77d38cc4e14d4f3a39519fa774 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 3 Jun 2024 19:12:11 +0200 Subject: [PATCH 150/331] Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. --- docs/roles/aws/aws_ami.md | 1 + docs/roles/debian/ce_deploy.md | 4 +++- docs/roles/debian/ce_provision.md | 4 +++- roles/aws/aws_ami/README.md | 1 + roles/aws/aws_ami/defaults/main.yml | 1 + roles/aws/aws_ami/templates/packer.json.j2 | 17 +++++++++-------- roles/debian/ce_deploy/README.md | 4 +++- roles/debian/ce_deploy/defaults/main.yml | 4 +++- roles/debian/ce_deploy/tasks/main.yml | 5 +++-- roles/debian/ce_provision/README.md | 4 +++- roles/debian/ce_provision/defaults/main.yml | 4 +++- roles/debian/ce_provision/tasks/main.yml | 3 ++- 12 files changed, 35 insertions(+), 17 deletions(-) diff --git a/docs/roles/aws/aws_ami.md b/docs/roles/aws/aws_ami.md index f4f3bd2be..acc2f10e4 100644 --- a/docs/roles/aws/aws_ami.md +++ b/docs/roles/aws/aws_ami.md @@ -29,6 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 856e548eb..d3c939fd2 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -20,7 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 8611d76b4..e3816975d 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -21,7 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index f4f3bd2be..acc2f10e4 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -29,6 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index 4b9bcbf1c..c828adaec 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -9,6 +9,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_ami/templates/packer.json.j2 b/roles/aws/aws_ami/templates/packer.json.j2 index 5efd118b6..d2abad8af 100755 --- a/roles/aws/aws_ami/templates/packer.json.j2 +++ b/roles/aws/aws_ami/templates/packer.json.j2 @@ -52,27 +52,28 @@ "type": "ansible", "playbook_file": "{{ aws_ami.playbook_file }}", "inventory_directory": "{{ _ce_provision_base_dir }}/hosts", - "ssh_authorized_key_file": "/home/{{ user_provision.username }}/.ssh/id_rsa.pub", + "ssh_authorized_key_file": "/home/{{ user_provision.username }}/.ssh/{{ aws_ami.public_key_name }}", {% if aws_ami.groups is defined and aws_ami.groups | length %} "groups": {{ aws_ami.groups | to_json }}, {% endif %} "ansible_env_vars": [ - "ANSIBLE_FORCE_COLOR=True", - "ALLOW_WORLD_READABLE_TMPFILES=True", + "ANSIBLE_FORCE_COLOR=True", + "ALLOW_WORLD_READABLE_TMPFILES=True", "ANSIBLE_CONFIG={{ _ce_provision_base_dir }}/ansible.cfg" ], "extra_arguments": - [ + [ + "--scp-extra-args", "'-O'", {% if ansible_verbosity >= 1 %} "-vvvv", {% endif %} {% if _aws_ami_extra_vars is defined and _aws_ami_extra_vars | length %} - "--extra-vars", + "--extra-vars", "{{ _aws_ami_extra_vars }}", {% endif %} - "--extra-vars", - "{ _ce_provision_base_dir: {{ _ce_provision_base_dir }}, _ce_provision_build_dir: {{ _ce_provision_build_dir }}, _ce_provision_build_tmp_dir: {{ _ce_provision_build_tmp_dir }}, _ce_provision_data_dir: {{ _ce_provision_data_dir }}, _ce_provision_build_id: {{ _ce_provision_build_id }}, _ce_provision_force_play: true }" - ] + "--extra-vars", + "{ _ce_provision_base_dir: {{ _ce_provision_base_dir }}, _ce_provision_build_dir: {{ _ce_provision_build_dir }}, _ce_provision_build_tmp_dir: {{ _ce_provision_build_tmp_dir }}, _ce_provision_data_dir: {{ _ce_provision_data_dir }}, _ce_provision_build_id: {{ _ce_provision_build_id }}, _ce_provision_force_play: true }" + ] }] } diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 856e548eb..d3c939fd2 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -20,7 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index d43bde3e6..dfccea372 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -12,7 +12,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index d5bbb3761..447cd99c1 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -16,7 +16,8 @@ generate_ssh_key: true home: "/home/{{ ce_deploy.username }}" password: "*" - ssh_key_bits: 4096 + ssh_key_bits: "{{ ce_deploy.ssh_key_bits }}" + ssh_key_type: "{{ ce_deploy.ssh_key_type }}" ssh_key_comment: "{{ ce_deploy.username }}@{{ ansible_host }}" system: true groups: "{{ ce_deploy.groups }}" @@ -35,7 +36,7 @@ - name: Place the public key in the ce-provision data directory on the controller server. ansible.builtin.fetch: dest: "{{ _ce_provision_data_dir }}" - src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.key_name }}" + src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.public_key_name }}" - name: Ensure Git is installed. ansible.builtin.apt: diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 8611d76b4..e3816975d 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -21,7 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 62c92b9e9..863be9952 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -12,7 +12,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index d19b458cc..7a531051d 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -30,7 +30,8 @@ generate_ssh_key: true home: "/home/{{ ce_provision.username }}" password: "*" - ssh_key_bits: 4096 + ssh_key_bits: "{{ ce_provision.ssh_key_bits }}" + ssh_key_type: "{{ ce_provision.ssh_key_type }}" ssh_key_comment: "{{ ce_provision.username }}@{{ ansible_host }}" system: true groups: "{{ ce_provision.groups }}" From 09d4d1cd5b89d45d34db5ddeb66c44e82d813dd0 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 4 Jun 2024 13:43:55 +0200 Subject: [PATCH 151/331] Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. --- roles/aws/aws_acm/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_acm/tasks/main.yml b/roles/aws/aws_acm/tasks/main.yml index 2464c5550..94932ace8 100644 --- a/roles/aws/aws_acm/tasks/main.yml +++ b/roles/aws/aws_acm/tasks/main.yml @@ -76,6 +76,7 @@ _aws_acm_extra_domains_in_cert_list: false with_items: "{{ _acm_san_domains }}" when: + - aws_acm_certificate | length > 0 - _acm_san_domains is defined - item not in aws_acm_certificate.SubjectAlternativeNameSummaries - aws_acm.extra_domains | length > 0 From c16f342fbf84d672f6b3908f8f96d2b17a489a7b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 4 Jun 2024 14:21:12 +0200 Subject: [PATCH 152/331] Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. --- roles/aws/aws_acm/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_acm/tasks/main.yml b/roles/aws/aws_acm/tasks/main.yml index 94932ace8..7b717b257 100644 --- a/roles/aws/aws_acm/tasks/main.yml +++ b/roles/aws/aws_acm/tasks/main.yml @@ -23,7 +23,8 @@ aws_acm_certificate_arn: "" _aws_acm_domain_in_cert_list: false _aws_acm_extra_domains_in_cert_list: true - aws_acm_certificate: {} + aws_acm_certificate: + SubjectAlternativeNameSummaries: [] - name: Iterate through the certificate list checking for domain. ansible.builtin.set_fact: @@ -76,7 +77,6 @@ _aws_acm_extra_domains_in_cert_list: false with_items: "{{ _acm_san_domains }}" when: - - aws_acm_certificate | length > 0 - _acm_san_domains is defined - item not in aws_acm_certificate.SubjectAlternativeNameSummaries - aws_acm.extra_domains | length > 0 From 1c6bbc47883730a1d5e1b452482d5e2f6849456d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 5 Jun 2024 14:46:54 +0200 Subject: [PATCH 153/331] Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. --- docs/roles/debian/rkhunter.md | 1 - roles/aws/aws_rds/tasks/main.yml | 2 +- roles/debian/rkhunter/README.md | 1 - roles/debian/rkhunter/defaults/main.yml | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/roles/debian/rkhunter.md b/docs/roles/debian/rkhunter.md index 8609a6315..e91854742 100644 --- a/docs/roles/debian/rkhunter.md +++ b/docs/roles/debian/rkhunter.md @@ -25,7 +25,6 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep - - /bin/which - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index bf4720f5e..7b39674b2 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -10,7 +10,7 @@ register: _aws_rds_rds_subnet_group - name: Create RDS parameter group - amazon.aws.rds_param_group: + amazon.aws.rds_instance_param_group: state: present name: "{{ aws_rds.db_parameter_group_name }}" profile: "{{ aws_rds.aws_profile }}" diff --git a/roles/debian/rkhunter/README.md b/roles/debian/rkhunter/README.md index 8609a6315..e91854742 100644 --- a/roles/debian/rkhunter/README.md +++ b/roles/debian/rkhunter/README.md @@ -25,7 +25,6 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep - - /bin/which - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml index 9afbdd084..a6a958cb6 100644 --- a/roles/debian/rkhunter/defaults/main.yml +++ b/roles/debian/rkhunter/defaults/main.yml @@ -16,7 +16,6 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep - - /bin/which - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser From b212b0fbcf08bd5148cf83b5823e80c0ee2b13f9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 5 Jun 2024 15:53:32 +0200 Subject: [PATCH 154/331] Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. --- docs/roles/debian/rkhunter.md | 1 + roles/debian/ce_provision/tasks/main.yml | 3 ++- roles/debian/rkhunter/README.md | 1 + roles/debian/rkhunter/defaults/main.yml | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/roles/debian/rkhunter.md b/docs/roles/debian/rkhunter.md index e91854742..cb452f702 100644 --- a/docs/roles/debian/rkhunter.md +++ b/docs/roles/debian/rkhunter.md @@ -30,6 +30,7 @@ rkhunter: - /usr/sbin/adduser # - /usr/sbin/prelink - /usr/sbin/unhide.rb + - /usr/bin/which allowhiddendir: - /etc/.java - /tmp/.ce-deploy # see https://github.com/codeenigma/ce-deploy/blob/1.x/roles/database_backup/database_backup-mysql/defaults/main.yml#L7 diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 7a531051d..d81941702 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -202,7 +202,7 @@ name: debian/python_boto when: ce_provision.aws_support -- name: Ensure dnspython, certifi and pyopenssl are installed. +- name: Ensure dnspython, certifi, pyopenssl and passlib are installed. ansible.builtin.include_role: name: debian/python_pip_packages vars: @@ -211,6 +211,7 @@ - name: dnspython - name: certifi - name: pyopenssl + - name: passlib - name: Add Python virtual environment to $PATH. ansible.builtin.copy: diff --git a/roles/debian/rkhunter/README.md b/roles/debian/rkhunter/README.md index e91854742..cb452f702 100644 --- a/roles/debian/rkhunter/README.md +++ b/roles/debian/rkhunter/README.md @@ -30,6 +30,7 @@ rkhunter: - /usr/sbin/adduser # - /usr/sbin/prelink - /usr/sbin/unhide.rb + - /usr/bin/which allowhiddendir: - /etc/.java - /tmp/.ce-deploy # see https://github.com/codeenigma/ce-deploy/blob/1.x/roles/database_backup/database_backup-mysql/defaults/main.yml#L7 diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml index a6a958cb6..30e20d59a 100644 --- a/roles/debian/rkhunter/defaults/main.yml +++ b/roles/debian/rkhunter/defaults/main.yml @@ -21,6 +21,7 @@ rkhunter: - /usr/sbin/adduser # - /usr/sbin/prelink - /usr/sbin/unhide.rb + - /usr/bin/which allowhiddendir: - /etc/.java - /tmp/.ce-deploy # see https://github.com/codeenigma/ce-deploy/blob/1.x/roles/database_backup/database_backup-mysql/defaults/main.yml#L7 From bb1d5cdac305b1d8f0b620517bde1336dda09ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 7 Jun 2024 11:12:28 +0200 Subject: [PATCH 155/331] Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/README.md | 98 ++++++++++++++++--- roles/aws/aws_acl/defaults/main.yml | 89 ++++++++++++++--- .../aws_acl/tasks/amazon_ip_reputation.yml | 32 ++++++ roles/aws/aws_acl/tasks/anonymous_ip_list.yml | 35 +++++++ roles/aws/aws_acl/tasks/bot_control.yml | 16 +-- roles/aws/aws_acl/tasks/cc_rules.yml | 30 ++++++ roles/aws/aws_acl/tasks/common_rule_set.yml | 28 ++++++ roles/aws/aws_acl/tasks/create_acl.yml | 98 +++++++++++-------- roles/aws/aws_acl/tasks/cyber_sec.yml | 96 +++++++++--------- roles/aws/aws_acl/tasks/ip_sets.yml | 25 +++-- roles/aws/aws_acl/tasks/known_bad_inputs.yml | 28 ++++++ roles/aws/aws_acl/tasks/php_rule_set.yml | 28 ++++++ roles/aws/aws_acl/tasks/regular_rule.yml | 36 ++++--- .../aws_acl/tasks/regular_rule_statements.yml | 19 ++++ roles/aws/aws_acl/tasks/set_priority_dict.yml | 8 ++ roles/aws/aws_acl/templates/rate_limit.j2 | 2 +- roles/aws/aws_elb/tasks/main.yml | 2 +- roles/aws/aws_iam_role/tasks/main.yml | 2 +- roles/aws/aws_rds/tasks/main.yml | 2 +- roles/debian/wazuh/defaults/main.yml | 22 ++--- 20 files changed, 536 insertions(+), 160 deletions(-) create mode 100644 roles/aws/aws_acl/tasks/amazon_ip_reputation.yml create mode 100644 roles/aws/aws_acl/tasks/anonymous_ip_list.yml create mode 100644 roles/aws/aws_acl/tasks/cc_rules.yml create mode 100644 roles/aws/aws_acl/tasks/common_rule_set.yml create mode 100644 roles/aws/aws_acl/tasks/known_bad_inputs.yml create mode 100644 roles/aws/aws_acl/tasks/php_rule_set.yml create mode 100644 roles/aws/aws_acl/tasks/regular_rule_statements.yml create mode 100644 roles/aws/aws_acl/tasks/set_priority_dict.yml diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index a318bad7b..86ccbd839 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,7 +5,7 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables +## Default variables for creation of ACL (pass it as a list) ```yaml --- aws_acl: @@ -15,33 +15,101 @@ aws_acl: region: "us-east-1" tags: {} rules: - rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - + rate_limit: + value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + priority: 2 ip_sets: - - name: "Allowed-ips-example" + - name: "Allowed-ips" action: allow - list: [] + priority: 1 + list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips-example" + - name: "Blocked-ips" action: block - list: [] + priority: 0 + list: [] # If the list is empty, ip set won't be recreated #- 4.4.4.4/32 # list of ip ranges #- 5.5.5.5/32 #- 6.6.6.6/32 - - cc_block_list: [] - + country_codes: + - name: "allowed-countries" + action: allow + priority: 7 + list: + - GB + - HR + - name: "blocked-countries" + action: block + priority: 8 + list: + - RU + - CN regular_rules: - name: allow_panels action: allow - string: "panels/ajax" - position: "CONTAINS" - -# cyber_sec: #Need to implement task + statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 4 + statements: + - inspect: "UriPath" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "panels/ajax" + text_trans: "NONE" + - name: block_bots + action: block + statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 5 + statements: + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "spider" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "bot" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "crawl" + text_trans: "LOWERCASE" + # AWS Managed rules + bot_control: + target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + priority: 3 + cyber_sec: + enabled: true # Need to subscribe first in AWS + rule_list: [] + priority: 6 + amazon_ip_reputation: + enabled: true + rule_list: [] + priority: 9 + common_rule_set: + enabled: true + rule_list: [] + priority: 10 + php_rule_set: + enabled: true + rule_list: [] + priority: 11 + known_bad_inputs: + enabled: true + rule_list: [] + priority: 12 + anonymous_ip_list: + enabled: true + rule_list: [] + priority: 13 +``` +## Default variables for assigning ACL to CF or ALB +```yaml +--- +aws_acl: + name: example_master_acl # Name of the ACL to apply + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" ``` diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 7808982f8..786e5baf0 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -6,29 +6,90 @@ aws_acl: region: "us-east-1" tags: {} rules: - rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - + rate_limit: + value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + priority: 2 ip_sets: - - name: "Allowed-ips-example" + - name: "Allowed-ips" action: allow - list: [] + priority: 1 + list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips-example" + - name: "Blocked-ips" action: block - list: [] + priority: 0 + list: [] # If the list is empty, ip set won't be recreated #- 4.4.4.4/32 # list of ip ranges #- 5.5.5.5/32 #- 6.6.6.6/32 - - cc_block_list: [] - + country_codes: + - name: "allowed-countries" + action: allow + priority: 7 + list: + - GB + - HR + - name: "blocked-countries" + action: block + priority: 8 + list: + - RU + - CN regular_rules: - name: allow_panels action: allow - string: "panels/ajax" - position: "CONTAINS" - -# cyber_sec: #Need to implement task + statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 4 + statements: + - inspect: "UriPath" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "panels/ajax" + text_trans: "NONE" + - name: block_bots + action: block + statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 5 + statements: + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "spider" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "bot" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "crawl" + text_trans: "LOWERCASE" + # Managed rules list + bot_control: + enabled: false + target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + priority: 3 + cyber_sec: + enabled: false # Need to subscribe first in AWS + rule_list: [] + priority: 6 + amazon_ip_reputation: + enabled: false + rule_list: [] + priority: 9 + common_rule_set: + enabled: false + rule_list: [] + priority: 10 + php_rule_set: + enabled: false + rule_list: [] + priority: 11 + known_bad_inputs: + enabled: false + rule_list: [] + priority: 12 + anonymous_ip_list: + enabled: false + rule_list: [] + priority: 13 diff --git a/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml b/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml new file mode 100644 index 000000000..a37559047 --- /dev/null +++ b/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml @@ -0,0 +1,32 @@ +--- +- name: Create amazon ip reputation rule + ansible.builtin.set_fact: + amazon_ip_reputation: + name: "AWS-AWSManagedRulesAmazonIpReputationList" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesAmazonIpReputationList" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesAmazonIpReputationList" + rule_action_overrides: + - name: "AWSManagedIPDDoSList" + action_to_use: + challenge: {} + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.amazon_ip_reputation.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + amazon_ip_reputation: "{{ amazon_ip_reputation | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [amazon_ip_reputation] }}" diff --git a/roles/aws/aws_acl/tasks/anonymous_ip_list.yml b/roles/aws/aws_acl/tasks/anonymous_ip_list.yml new file mode 100644 index 000000000..7bd073202 --- /dev/null +++ b/roles/aws/aws_acl/tasks/anonymous_ip_list.yml @@ -0,0 +1,35 @@ +--- +- name: Create anonymous ip list rule + ansible.builtin.set_fact: + anonymous_ip_list: + name: "AWS-AWSManagedRulesAnonymousIpList" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesAnonymousIpList" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesAnonymousIpList" + rule_action_overrides: + - name: "AnonymousIPList" + action_to_use: + challenge: {} + - name: "HostingProviderIPList" + action_to_use: + captcha: {} + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.anonymous_ip_list.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + anonymous_ip_list: "{{ anonymous_ip_list | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [anonymous_ip_list] }}" diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index 5e8cdb730..4e8044175 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -71,7 +71,7 @@ inspection_level: "COMMON" - name: Define targeted actions rules - when: _acl.rules.botControl == "TARGETED" + when: _acl.rules.botControl.target == "TARGETED" block: - name: Define targeted actions ansible.builtin.set_fact: @@ -111,7 +111,7 @@ - name: Define Bot Control rule. ansible.builtin.set_fact: - bot_control: + bot_control_rule: name: bot_control override_action: none: {} @@ -126,13 +126,15 @@ managed_rule_group_configs: "{{ _rule_config }}" rule_action_overrides: "{{ _action_rules }}" +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ bot_control.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: - bot_control: "{{ bot_control | combine(_priority_dict) }}" + bot_control_rule: "{{ bot_control_rule | combine(_priority_dict) }}" - name: Add rule to list. ansible.builtin.set_fact: - _rules: "{{ _rules + [bot_control] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + _rules: "{{ _rules + [bot_control_rule] }}" diff --git a/roles/aws/aws_acl/tasks/cc_rules.yml b/roles/aws/aws_acl/tasks/cc_rules.yml new file mode 100644 index 000000000..b90d8af1c --- /dev/null +++ b/roles/aws/aws_acl/tasks/cc_rules.yml @@ -0,0 +1,30 @@ +--- +- name: Set action string + ansible.builtin.set_fact: + _action: "{ {{ _cc_set.action }}: {} }" + +- name: Create country block rule + ansible.builtin.set_fact: + cc_rule: + name: "{{ _cc_set.name }}" + action: "{{ _action | from_yaml }}" + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "{{ _cc_set.name }}" + statement: + geo_match_statement: + country_codes: "{{ _cc_set.list }}" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _cc_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + cc_rule: "{{ cc_rule | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [cc_rule] }}" diff --git a/roles/aws/aws_acl/tasks/common_rule_set.yml b/roles/aws/aws_acl/tasks/common_rule_set.yml new file mode 100644 index 000000000..463c27de6 --- /dev/null +++ b/roles/aws/aws_acl/tasks/common_rule_set.yml @@ -0,0 +1,28 @@ +--- +- name: Create common rule set rule + ansible.builtin.set_fact: + common_rule_set: + name: "AWS-AWSManagedRulesCommonRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesCommonRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesCommonRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.common_rule_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + common_rule_set: "{{ common_rule_set | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [common_rule_set] }}" diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 404bcc805..5a48ca9de 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -3,14 +3,10 @@ ansible.builtin.set_fact: _rules: [] -- name: Set priority counter +- name: Set priority dict set_fact: - _priority: 0 _priority_dict: {} -- name: Increase priority and set dict for 1st rule. - ansible.builtin.include_tasks: increase_priority.yml - - name: Create IP set rules. ansible.builtin.include_tasks: ip_sets.yml when: @@ -20,40 +16,19 @@ loop_control: loop_var: _ip_set -- name: Set country block rule. +- name: Create CC rule set. + ansible.builtin.include_tasks: cc_rules.yml when: - - _acl.rules.cc_block_list is defined - - _acl.rules.cc_block_list | length > 0 - block: - - name: Create country block rule - ansible.builtin.set_fact: - cc_block_rule: - name: block_countries - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: block_countries - statement: - geo_match_statement: - country_codes: "{{ _acl.rules.cc_block_list }}" - - - name: Append priority to rule. - ansible.builtin.set_fact: - cc_block_rule: "{{ cc_block_rule | combine(_priority_dict) }}" - - - name: Add rule to list - ansible.builtin.set_fact: - _rules: "{{ _rules + [cc_block_rule] }}" - - - name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + - _acl.rules.country_codes is defined + - _acl.rules.country_codes | length > 0 + loop: "{{ _acl.rules.country_codes | list }}" + loop_control: + loop_var: _cc_set - name: Set rate limit variable. when: - _acl.rules.rate_limit is defined - - _acl.rules.rate_limit > 0 + - _acl.rules.rate_limit.value > 0 block: - name: Set rate based statement from template ansible.builtin.set_fact: @@ -69,9 +44,14 @@ sampled_requests_enabled: true cloud_watch_metrics_enabled: true metric_name: rate_limit - statement: + Statement: rate_based_statement: "{{ _rbs }}" + - name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.rate_limit.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: rate_rule: "{{ rate_rule | combine(_priority_dict) }}" @@ -80,13 +60,11 @@ ansible.builtin.set_fact: _rules: "{{ _rules + [rate_rule] }}" - - name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml - - name: Create Bot Control rule. - when: _acl.rules.botControl is defined - ansible.builtin.include_tasks: - file: bot_control.yml + ansible.builtin.include_tasks: bot_control.yml + when: + - _acl.rules.botControl is defined + - _acl.rules.botControl.enabled - name: Create regular rules. ansible.builtin.include_tasks: regular_rule.yml @@ -101,11 +79,45 @@ ansible.builtin.include_tasks: cyber_sec.yml when: - _acl.rules.cyber_sec is defined - - _acl.rules.cyber_sec + - _acl.rules.cyber_sec.enabled + +- name: Create Amazon IP reputation rule. + ansible.builtin.include_tasks: amazon_ip_reputation.yml + when: + - _acl.rules.amazon_ip_reputation is defined + - _acl.rules.amazon_ip_reputation.enabled + +- name: Create Common Rule Set rule. + ansible.builtin.include_tasks: common_rule_set.yml + when: + - _acl.rules.common_rule_set is defined + - _acl.rules.common_rule_set.enabled + +- name: Create PHP Rule Set rule. + ansible.builtin.include_tasks: php_rule_set.yml + when: + - _acl.rules.php_rule_set is defined + - _acl.rules.php_rule_set.enabled + +- name: Create Known Bad Inputs rule. + ansible.builtin.include_tasks: known_bad_inputs.yml + when: + - _acl.rules.known_bad_inputs is defined + - _acl.rules.known_bad_inputs.enabled + +- name: Create Anomymous IP List rule. + ansible.builtin.include_tasks: anonymous_ip_list.yml + when: + - _acl.rules.anonymous_ip_list is defined + - _acl.rules.anonymous_ip_list.enabled + +- name: Print the rules + ansible.builtin.debug: + msg: "{{ _rules }}" - name: Create web acl. community.aws.wafv2_web_acl: - name: "{{ _acl.name }}" + name: "{{ _acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "{{ _acl.description }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" diff --git a/roles/aws/aws_acl/tasks/cyber_sec.yml b/roles/aws/aws_acl/tasks/cyber_sec.yml index deb556e3e..7850ed2b5 100644 --- a/roles/aws/aws_acl/tasks/cyber_sec.yml +++ b/roles/aws/aws_acl/tasks/cyber_sec.yml @@ -1,50 +1,55 @@ --- -- name: Create regular rule +- name: Create cyber security rule ansible.builtin.set_fact: cyber_sec_rule: - name: "CyberSecurityCloud-HighSecurityOWASPSet" - override_action: - none: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: "CyberSecurityCloud-HighSecurityOWASPSet" - statement: - managed_rule_group_statement: - vendor_name: "Cyber Security Cloud Inc." - name: "CyberSecurityCloud-HighSecurityOWASPSet-" - excluded_rules: - - name: "bad_useragent-header-001" - - name: "cookie-body-001" - - name: "cookie-qs-001" - - name: "drupal-multi-001" - - name: "drupal-multi-002" - - name: "joomla-multi-001" - - name: "ldapi-url-001" - - name: "nosqli-body-001" - - name: "nosqli-qs-001" - - name: "oracle-multi-001" - - name: "oscommandi-body-001" - - name: "oscommandi-qs-001" - - name: "pathtraversal-body-001" - - name: "pathtraversal-qs-001" - - name: "pathtraversal-url-001" - - name: "rails-header-001" - - name: "sqli-body-001" - - name: "sqli-body-002" - - name: "sqli-qs-001" - - name: "sqli-qs-002" - - name: "sqli-url-001" - - name: "ssrf-multi-001" - - name: "struts-multi-001" - - name: "struts-multi-002" - - name: "struts-multi-003" - - name: "suspicious_access-url-001" - - name: "tomcat-multi-001" - - name: "xss-body-001" - - name: "xss-qs-001" - - name: "xxe-ssci-body-001" - - name: "xxe-ssci-qs-001" + name: "CyberSecurityCloud-HighSecurityOWASPSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "CyberSecurityCloud-HighSecurityOWASPSet" + statement: + managed_rule_group_statement: + vendor_name: "Cyber Security Cloud Inc." + name: "CyberSecurityCloud-HighSecurityOWASPSet-" + excluded_rules: + - name: "bad_useragent-header-001" + - name: "cookie-body-001" + - name: "cookie-qs-001" + - name: "drupal-multi-001" + - name: "drupal-multi-002" + - name: "joomla-multi-001" + - name: "ldapi-url-001" + - name: "nosqli-body-001" + - name: "nosqli-qs-001" + - name: "oracle-multi-001" + - name: "oscommandi-body-001" + - name: "oscommandi-qs-001" + - name: "pathtraversal-body-001" + - name: "pathtraversal-qs-001" + - name: "pathtraversal-url-001" + - name: "rails-header-001" + - name: "sqli-body-001" + - name: "sqli-body-002" + - name: "sqli-qs-001" + - name: "sqli-qs-002" + - name: "sqli-url-001" + - name: "ssrf-multi-001" + - name: "struts-multi-001" + - name: "struts-multi-002" + - name: "struts-multi-003" + - name: "suspicious_access-url-001" + - name: "tomcat-multi-001" + - name: "xss-body-001" + - name: "xss-qs-001" + - name: "xxe-ssci-body-001" + - name: "xxe-ssci-qs-001" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.cyber_sec.priority }}" - name: Append priority to rule. ansible.builtin.set_fact: @@ -53,6 +58,3 @@ - name: Add rule to list ansible.builtin.set_fact: _rules: "{{ _rules + [cyber_sec_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml index d4ba9b345..bd0ac1376 100644 --- a/roles/aws/aws_acl/tasks/ip_sets.yml +++ b/roles/aws/aws_acl/tasks/ip_sets.yml @@ -8,15 +8,24 @@ region: "{{ _acl.region }}" ip_address_version: IPV4 addresses: "{{ _ip_set.list }}" + when: _ip_set.list | length > 0 + register: _ip_set_info + +- name: Get IP set for WAF if. + community.aws.wafv2_ip_set_info: + name: "{{ _ip_set.name }}" + scope: "{{ _acl.scope }}" + region: "{{ _acl.region }}" + when: _ip_set.list | length == 0 register: _ip_set_info - name: Set action string ansible.builtin.set_fact: _action: "{ {{ _ip_set.action }}: {} }" -- name: Create IP block rule. +- name: Create IP set rule. ansible.builtin.set_fact: - ip_block_rule: + ip_set_rule: name: "{{ _ip_set.name }}" action: "{{ _action | from_yaml }}" visibility_config: @@ -27,13 +36,15 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _ip_set.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: - ip_block_rule: "{{ ip_block_rule | combine(_priority_dict) }}" + ip_set_rule: "{{ ip_set_rule | combine(_priority_dict) }}" - name: Add rule to list. ansible.builtin.set_fact: - _rules: "{{ _rules + [ip_block_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + _rules: "{{ _rules + [ip_set_rule] }}" diff --git a/roles/aws/aws_acl/tasks/known_bad_inputs.yml b/roles/aws/aws_acl/tasks/known_bad_inputs.yml new file mode 100644 index 000000000..88746b893 --- /dev/null +++ b/roles/aws/aws_acl/tasks/known_bad_inputs.yml @@ -0,0 +1,28 @@ +--- +- name: Create known bad inputs rule + ansible.builtin.set_fact: + known_bad_inputs: + name: "AWS-AWSManagedRulesKnownBadInputsRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesKnownBadInputsRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesKnownBadInputsRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.known_bad_inputs.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + known_bad_inputs: "{{ known_bad_inputs | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [known_bad_inputs] }}" diff --git a/roles/aws/aws_acl/tasks/php_rule_set.yml b/roles/aws/aws_acl/tasks/php_rule_set.yml new file mode 100644 index 000000000..64a27e820 --- /dev/null +++ b/roles/aws/aws_acl/tasks/php_rule_set.yml @@ -0,0 +1,28 @@ +--- +- name: Create php rule set rule + ansible.builtin.set_fact: + php_rule_set: + name: "AWS-AWSManagedRulesPHPRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesPHPRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesPHPRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.php_rule_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + php_rule_set: "{{ php_rule_set | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [php_rule_set] }}" diff --git a/roles/aws/aws_acl/tasks/regular_rule.yml b/roles/aws/aws_acl/tasks/regular_rule.yml index f0a4ded0b..649a269a8 100644 --- a/roles/aws/aws_acl/tasks/regular_rule.yml +++ b/roles/aws/aws_acl/tasks/regular_rule.yml @@ -3,6 +3,24 @@ ansible.builtin.set_fact: _action: "{ {{ _reg_rule.action }}: {} }" +- name: Set statement string + ansible.builtin.set_fact: + _statements: "" + +- name: Create statements. + ansible.builtin.include_tasks: regular_rule_statements.yml + when: + - _reg_rule.statements is defined + - _reg_rule.statements | length > 0 + loop: "{{ _reg_rule.statements | list }}" + loop_control: + loop_var: _stat + +- name: Encapsulate statement with type + ansible.builtin.set_fact: + _statements: "{ {{ _reg_rule.statements_type }}_statement: { statements: [{{ _statements }}] } }" + when: _reg_rule.statements_type != "single" + - name: Create regular rule ansible.builtin.set_fact: regular_rule: @@ -12,15 +30,12 @@ sampled_requests_enabled: true cloud_watch_metrics_enabled: true metric_name: "{{ _reg_rule.name }}" - statement: - byte_match_statement: - field_to_match: - uri_path: {} - positional_constraint: "{{ _reg_rule.position }}" - search_string: "{{ _reg_rule.string }}" - text_transformations: - - type: "NONE" - priority: 0 + statement: "{{ _statements | from_yaml }}" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _reg_rule.priority }}" - name: Append priority to rule. ansible.builtin.set_fact: @@ -29,6 +44,3 @@ - name: Add rule to list ansible.builtin.set_fact: _rules: "{{ _rules + [regular_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/regular_rule_statements.yml b/roles/aws/aws_acl/tasks/regular_rule_statements.yml new file mode 100644 index 000000000..ed75e92a5 --- /dev/null +++ b/roles/aws/aws_acl/tasks/regular_rule_statements.yml @@ -0,0 +1,19 @@ +--- +- name: Add comma if _statement already has element + ansible.builtin.set_fact: + _statements: "{{ _statements }}, " + when: _statements != '' + +- name: Set field match string for SingleHeader + ansible.builtin.set_fact: + _ftm: "{ single_header: { name: \"user-agent\"} }" + when: _stat.inspect == "SingleHeader" + +- name: Set field match string for SingleHeader + ansible.builtin.set_fact: + _ftm: "{ uri_path: {} }" + when: _stat.inspect == "UriPath" + +- name: Set statements string + ansible.builtin.set_fact: + _statements: "{{ _statements }}{ byte_match_statement: { search_string: {{ _stat.string }}, field_to_match: {{ _ftm }}, text_transformations: [{ priority: 0, type: {{ _stat.text_trans }} }], positional_constraint: {{ _stat.position }} } }" diff --git a/roles/aws/aws_acl/tasks/set_priority_dict.yml b/roles/aws/aws_acl/tasks/set_priority_dict.yml new file mode 100644 index 000000000..9ca723ea2 --- /dev/null +++ b/roles/aws/aws_acl/tasks/set_priority_dict.yml @@ -0,0 +1,8 @@ +--- +- name: Set dict string + ansible.builtin.set_fact: + _priority_dict_string: "{ priority: {{ _priority }} }" + +- name: Set dict + ansible.builtin.set_fact: + _priority_dict: "{{ _priority_dict_string | from_yaml }}" diff --git a/roles/aws/aws_acl/templates/rate_limit.j2 b/roles/aws/aws_acl/templates/rate_limit.j2 index 410b0026f..f29047667 100644 --- a/roles/aws/aws_acl/templates/rate_limit.j2 +++ b/roles/aws/aws_acl/templates/rate_limit.j2 @@ -1 +1 @@ -{ limit: {{ _acl.rules.rate_limit }}, aggregate_key_type: IP } +{ limit: {{ _acl.rules.rate_limit.value }}, aggregate_key_type: IP } diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 39286bf35..969944ce7 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -94,7 +94,7 @@ - name: Add HTTP listeners. ansible.builtin.set_fact: - _aws_ec2_listeners: "{{ [ _aws_ec2_listeners_http ] }}" + _aws_ec2_listeners: "{{ [_aws_ec2_listeners_http] }}" when: _ssl_certificate_ARN | length < 1 - name: Add HTTPS Listener. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 2c2973e93..daf1ad759 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -12,4 +12,4 @@ - name: Register aws_iam_role results. ansible.builtin.set_fact: - aws_iam_role: "{{ aws_iam_role | combine({'_result': { aws_iam_role.name : _aws_iam_role_result}}) }}" + aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}) }}" diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 7b39674b2..3a200bd6e 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -18,7 +18,7 @@ description: "{{ aws_rds.db_parameter_group_description }}" engine: "{{ aws_rds.db_parameter_group_engine }}" params: "{{ aws_rds.db_parameters }}" - tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name }) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name}) }}" when: - aws_rds.db_parameters is defined - aws_rds.db_parameters | length > 0 diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 585384511..d4c131e68 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -109,29 +109,29 @@ wazuh: wazuh_manager_api: bind_addr: 0.0.0.0 port: 55000 - behind_proxy_server: no - https: yes + behind_proxy_server: "no" + https: "yes" https_key: "api/configuration/ssl/server.key" https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False + https_use_ca: false https_ca: "api/configuration/ssl/ca.crt" logging_level: "info" logging_path: "logs/api.log" - cors: no + cors: "no" cors_source_route: "*" cors_expose_headers: "*" cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes + cors_allow_credentials: "no" + cache: "yes" cache_time: 0.750 access_max_login_attempts: 5 access_block_time: 300 access_max_request_per_minute: 300 - drop_privileges: yes - experimental_features: no - remote_commands_localfile: yes + drop_privileges: "yes" + experimental_features: "no" + remote_commands_localfile: "yes" remote_commands_localfile_exceptions: [] - remote_commands_wodle: yes + remote_commands_wodle: "yes" remote_commands_wodle_exceptions: [] #wazuh_api_users: # - username: custom-user @@ -153,4 +153,4 @@ wazuh: password: "wazuh" dashboard_security: true dashboard_user: kibanaserver - dashboard_password: changeme \ No newline at end of file + dashboard_password: changeme From d08fd78b0435146bb0e58bda8daf13f9b4d55bb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 13 Jun 2024 06:04:44 +0200 Subject: [PATCH 156/331] Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ami/templates/packer.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_ami/templates/packer.json.j2 b/roles/aws/aws_ami/templates/packer.json.j2 index d2abad8af..b9ade8b1c 100755 --- a/roles/aws/aws_ami/templates/packer.json.j2 +++ b/roles/aws/aws_ami/templates/packer.json.j2 @@ -64,7 +64,7 @@ ], "extra_arguments": [ - "--scp-extra-args", "'-O'", + {# "--scp-extra-args", "'-O'", #} {% if ansible_verbosity >= 1 %} "-vvvv", {% endif %} From 00b98920ebd438213d2c38782758a4343441c45e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Jun 2024 16:15:08 +0200 Subject: [PATCH 157/331] Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. --- docs/_Sidebar.md | 1 + docs/roles/aws/aws_acl.md | 89 ++++++++++++++++--- docs/roles/debian/user_ansible.md | 40 +++++++++ docs/roles/debian/wazuh.md | 21 ++--- roles/aws/aws_acl/README.md | 25 ++---- roles/debian/user_ansible/README.md | 40 +++++++++ roles/debian/user_ansible/defaults/main.yml | 10 ++- roles/debian/user_ansible/tasks/main.yml | 5 +- roles/debian/user_deploy/defaults/main.yml | 6 +- roles/debian/user_provision/defaults/main.yml | 6 +- roles/debian/wazuh/README.md | 21 ++--- 11 files changed, 207 insertions(+), 57 deletions(-) create mode 100644 docs/roles/debian/user_ansible.md create mode 100644 roles/debian/user_ansible/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 6386f333b..90b0fc558 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -87,6 +87,7 @@ - [SSL](/roles/debian/ssl) - [sudo config](/roles/debian/sudo_config) - [Swap](/roles/debian/swap) + - [User Ansible](/roles/debian/user_ansible) - [varnish_config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) - [Init role](/roles/_init) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index a318bad7b..fb2c8efb5 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -15,32 +15,93 @@ aws_acl: region: "us-east-1" tags: {} rules: - rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - + rate_limit: + value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + priority: 2 ip_sets: - - name: "Allowed-ips-example" + - name: "Allowed-ips" action: allow - list: [] + priority: 1 + list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips-example" + - name: "Blocked-ips" action: block - list: [] + priority: 0 + list: [] # If the list is empty, ip set won't be recreated #- 4.4.4.4/32 # list of ip ranges #- 5.5.5.5/32 #- 6.6.6.6/32 - - cc_block_list: [] - + country_codes: + - name: "allowed-countries" + action: allow + priority: 7 + list: + - GB + - HR + - name: "blocked-countries" + action: block + priority: 8 + list: + - RU + - CN regular_rules: - name: allow_panels action: allow - string: "panels/ajax" - position: "CONTAINS" - -# cyber_sec: #Need to implement task + statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 4 + statements: + - inspect: "UriPath" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "panels/ajax" + text_trans: "NONE" + - name: block_bots + action: block + statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 5 + statements: + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "spider" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "bot" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "crawl" + text_trans: "LOWERCASE" + # Managed rules list + bot_control: + enabled: false + target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + priority: 3 + cyber_sec: + enabled: false # Need to subscribe first in AWS + rule_list: [] + priority: 6 + amazon_ip_reputation: + enabled: false + rule_list: [] + priority: 9 + common_rule_set: + enabled: false + rule_list: [] + priority: 10 + php_rule_set: + enabled: false + rule_list: [] + priority: 11 + known_bad_inputs: + enabled: false + rule_list: [] + priority: 12 + anonymous_ip_list: + enabled: false + rule_list: [] + priority: 13 ``` diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md new file mode 100644 index 000000000..397d4318f --- /dev/null +++ b/docs/roles/debian/user_ansible.md @@ -0,0 +1,40 @@ +# User Ansible +General role to create Linux users and corresponding keys, groups, home directory, etc. You may call this role directly or it can be imported, such as when called by the `user_provision` and `user_deploy` roles for handling our system users. + + + + + +## Default variables +```yaml +--- +_user_ansible_username: "" +user_ansible: + # This sets both username and main group. + username: "{{ _user_ansible_username }}" + home: "/home/{{ _user_ansible_username }}" + create: true # if you know the user already exists, set this to false to not create the user. + create_home: true + # Optional Linux uid and gid for user + # uid: 999 + # gid: 999 + # Local username of the deploy user. + utility_host: "localhost" + utility_username: "" + sudoer: + false + # List of additional groups to add the user to. + groups: [] + # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). + ssh_keys: [] + # List of SSH private keys to add to server. These must be provided as strings (content of the private key). + # Be sure to store securely using SOPS or similar. + ssh_private_keys: [] + # List of hostnames to add to known_hosts. + known_hosts: [] + # Whether or not to hash any provided hosts for known_hosts. + known_hosts_hash: true + +``` + + diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index bd4afb89b..5bb89b58c 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -120,29 +120,29 @@ wazuh: wazuh_manager_api: bind_addr: 0.0.0.0 port: 55000 - behind_proxy_server: no - https: yes + behind_proxy_server: "no" + https: "yes" https_key: "api/configuration/ssl/server.key" https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False + https_use_ca: false https_ca: "api/configuration/ssl/ca.crt" logging_level: "info" logging_path: "logs/api.log" - cors: no + cors: "no" cors_source_route: "*" cors_expose_headers: "*" cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes + cors_allow_credentials: "no" + cache: "yes" cache_time: 0.750 access_max_login_attempts: 5 access_block_time: 300 access_max_request_per_minute: 300 - drop_privileges: yes - experimental_features: no - remote_commands_localfile: yes + drop_privileges: "yes" + experimental_features: "no" + remote_commands_localfile: "yes" remote_commands_localfile_exceptions: [] - remote_commands_wodle: yes + remote_commands_wodle: "yes" remote_commands_wodle_exceptions: [] #wazuh_api_users: # - username: custom-user @@ -165,6 +165,7 @@ wazuh: dashboard_security: true dashboard_user: kibanaserver dashboard_password: changeme + ``` diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 86ccbd839..fb2c8efb5 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,7 +5,7 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables for creation of ACL (pass it as a list) +## Default variables ```yaml --- aws_acl: @@ -73,43 +73,36 @@ aws_acl: position: "CONTAINS" string: "crawl" text_trans: "LOWERCASE" - # AWS Managed rules + # Managed rules list bot_control: + enabled: false target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) priority: 3 cyber_sec: - enabled: true # Need to subscribe first in AWS + enabled: false # Need to subscribe first in AWS rule_list: [] priority: 6 amazon_ip_reputation: - enabled: true + enabled: false rule_list: [] priority: 9 common_rule_set: - enabled: true + enabled: false rule_list: [] priority: 10 php_rule_set: - enabled: true + enabled: false rule_list: [] priority: 11 known_bad_inputs: - enabled: true + enabled: false rule_list: [] priority: 12 anonymous_ip_list: - enabled: true + enabled: false rule_list: [] priority: 13 -``` -## Default variables for assigning ACL to CF or ALB -```yaml ---- -aws_acl: - name: example_master_acl # Name of the ACL to apply - scope: CLOUDFRONT # Can be REGIONAL for ALBs - region: "us-east-1" ``` diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md new file mode 100644 index 000000000..397d4318f --- /dev/null +++ b/roles/debian/user_ansible/README.md @@ -0,0 +1,40 @@ +# User Ansible +General role to create Linux users and corresponding keys, groups, home directory, etc. You may call this role directly or it can be imported, such as when called by the `user_provision` and `user_deploy` roles for handling our system users. + + + + + +## Default variables +```yaml +--- +_user_ansible_username: "" +user_ansible: + # This sets both username and main group. + username: "{{ _user_ansible_username }}" + home: "/home/{{ _user_ansible_username }}" + create: true # if you know the user already exists, set this to false to not create the user. + create_home: true + # Optional Linux uid and gid for user + # uid: 999 + # gid: 999 + # Local username of the deploy user. + utility_host: "localhost" + utility_username: "" + sudoer: + false + # List of additional groups to add the user to. + groups: [] + # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). + ssh_keys: [] + # List of SSH private keys to add to server. These must be provided as strings (content of the private key). + # Be sure to store securely using SOPS or similar. + ssh_private_keys: [] + # List of hostnames to add to known_hosts. + known_hosts: [] + # Whether or not to hash any provided hosts for known_hosts. + known_hosts_hash: true + +``` + + diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index bcccd873c..a0b64b3de 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -1,7 +1,11 @@ --- +_user_ansible_username: "" user_ansible: # This sets both username and main group. - username: "" + username: "{{ _user_ansible_username }}" + home: "/home/{{ _user_ansible_username }}" + create: true # if you know the user already exists, set this to false to not create the user. + create_home: true # Optional Linux uid and gid for user # uid: 999 # gid: 999 @@ -10,8 +14,8 @@ user_ansible: utility_username: "" sudoer: false - # List of additional groups to add the user to. - groups: "" + # List of additional groups to add the user to. + groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). ssh_keys: [] # List of SSH private keys to add to server. These must be provided as strings (content of the private key). diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index c40bbed11..e77e698b0 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -22,10 +22,11 @@ group: "{{ user_ansible.username }}" uid: "{{ user_ansible.uid | default(omit) }}" system: true - create_home: true - home: "/home/{{ user_ansible.username }}" + create_home: "{{ user_ansible.create_home }}" + home: "{{ user_ansible.home }}" password: "*" groups: "{{ user_ansible.groups }}" + when: user_ansible.create - name: Add user to sudoers. ansible.builtin.include_role: diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 983c0f137..9d45adf3f 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -1,8 +1,12 @@ --- +_user_deploy_username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" user_deploy: # This sets both username and main group. # If you are using ce-deploy to deploy code this must match the `deploy_user` variable - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{{ _user_deploy_username }}}" + home: "/home/{{ _user_deploy_username }}}" + create: true # if you know the user already exists, set this to false to not create the user. + create_home: true # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 989 diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index 3f53b4d71..a6a08284c 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -1,7 +1,11 @@ --- +_user_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" user_provision: # This sets both username and main group. - username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" + username: "{{ _user_provision_username }}" + home: "/home/{{ _user_provision_username }}}" + create: true # if you know the user already exists, set this to false to not create the user. + create_home: true # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 988 diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index bd4afb89b..5bb89b58c 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -120,29 +120,29 @@ wazuh: wazuh_manager_api: bind_addr: 0.0.0.0 port: 55000 - behind_proxy_server: no - https: yes + behind_proxy_server: "no" + https: "yes" https_key: "api/configuration/ssl/server.key" https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False + https_use_ca: false https_ca: "api/configuration/ssl/ca.crt" logging_level: "info" logging_path: "logs/api.log" - cors: no + cors: "no" cors_source_route: "*" cors_expose_headers: "*" cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes + cors_allow_credentials: "no" + cache: "yes" cache_time: 0.750 access_max_login_attempts: 5 access_block_time: 300 access_max_request_per_minute: 300 - drop_privileges: yes - experimental_features: no - remote_commands_localfile: yes + drop_privileges: "yes" + experimental_features: "no" + remote_commands_localfile: "yes" remote_commands_localfile_exceptions: [] - remote_commands_wodle: yes + remote_commands_wodle: "yes" remote_commands_wodle_exceptions: [] #wazuh_api_users: # - username: custom-user @@ -165,6 +165,7 @@ wazuh: dashboard_security: true dashboard_user: kibanaserver dashboard_password: changeme + ``` From a1f3d9ed752d7d56fb875b93b6cc6291aa20de0e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Jun 2024 16:43:43 +0200 Subject: [PATCH 158/331] Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. --- roles/debian/firewall_config/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/debian/firewall_config/tasks/main.yml b/roles/debian/firewall_config/tasks/main.yml index cf770ab4e..8d64de18a 100644 --- a/roles/debian/firewall_config/tasks/main.yml +++ b/roles/debian/firewall_config/tasks/main.yml @@ -96,6 +96,11 @@ state: absent when: firewall_config.purge +- name: Touch firewall.bash to ensure it exists and avoid a crash. + ansible.builtin.file: + path: /etc/firewall.bash + state: touch + - name: Apply firewall rules. ansible.builtin.import_role: name: geerlingguy.firewall From 49940d9604c643c566f9c4cb297f6c23e6a385a2 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Jun 2024 17:33:08 +0200 Subject: [PATCH 159/331] Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. --- roles/debian/user_deploy/defaults/main.yml | 4 ++-- roles/debian/user_provision/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 9d45adf3f..084fbb153 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -3,8 +3,8 @@ _user_deploy_username: "{% if is_local is defined and is_local %}ce-dev{% else % user_deploy: # This sets both username and main group. # If you are using ce-deploy to deploy code this must match the `deploy_user` variable - username: "{{ _user_deploy_username }}}" - home: "/home/{{ _user_deploy_username }}}" + username: "{{ _user_deploy_username }}" + home: "/home/{{ _user_deploy_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index a6a08284c..a7a5a49d2 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -3,7 +3,7 @@ _user_provision_username: "{% if is_local is defined and is_local %}ce-dev{% els user_provision: # This sets both username and main group. username: "{{ _user_provision_username }}" - home: "/home/{{ _user_provision_username }}}" + home: "/home/{{ _user_provision_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet From b556265de12fdf0cccc4aa4723c6d29b99074054 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Jun 2024 17:36:50 +0200 Subject: [PATCH 160/331] Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. --- roles/debian/user_ansible/defaults/main.yml | 2 +- roles/debian/user_deploy/defaults/main.yml | 2 +- roles/debian/user_provision/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index a0b64b3de..c3cb758e8 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -11,7 +11,7 @@ user_ansible: # gid: 999 # Local username of the deploy user. utility_host: "localhost" - utility_username: "" + utility_username: "{{ _user_ansible_username }}" sudoer: false # List of additional groups to add the user to. diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 084fbb153..711f53c89 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -13,7 +13,7 @@ user_deploy: # gid: 989 # Local username of the deploy user. utility_host: "localhost" - utility_username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + utility_username: "{{ _user_deploy_username }}" sudoer: false # List of additional groups to add the user to. groups: diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index a7a5a49d2..a1c8799cf 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -12,7 +12,7 @@ user_provision: # gid: 988 # Local username of the system user. utility_host: "localhost" - utility_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" + utility_username: "{{ _user_provision_username }}" sudoer: true groups: [] ssh_keys: [] From c8f437bdd34acb891e5cadebbf784a55dd90f05b Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 19 Jun 2024 12:33:37 +0200 Subject: [PATCH 161/331] Managing-mime-types-nginx (#1773) --- roles/debian/nginx/defaults/main.yml | 73 ++++++++++++++++++++++ roles/debian/nginx/tasks/main.yml | 8 +++ roles/debian/nginx/templates/mime.types.j2 | 6 ++ 3 files changed, 87 insertions(+) create mode 100644 roles/debian/nginx/templates/mime.types.j2 diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 5f66e981f..2b587ce41 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -35,6 +35,79 @@ nginx: - application/x-font-opentype - image/svg+xml - image/x-icon + mime_types: + text/html: ["html", "htm", "shtml"] + text/css: ["css"] + text/xml: ["xml", "rss"] + image/gif: ["gif"] + image/jpeg: ["jpeg", "jpg"] + application/x-javascript: ["js"] + application/atom+xml: ["atom"] + text/mathml: ["mml"] + text/plain: ["txt"] + text/vnd.sun.j2me.app-descriptor: ["jad"] + text/vnd.wap.wml: ["wml"] + text/x-component: ["htc"] + image/png: ["png"] + image/tiff: ["tif", "tiff"] + image/vnd.wap.wbmp: ["wbmp"] + image/x-icon: ["ico"] + image/x-jng: ["jng"] + image/x-ms-bmp: ["bmp"] + image/svg+xml: ["svg", "svgz"] + font/ttf: ["ttf"] + font/opentype: ["otf"] + application/font-woff: ["woff"] + application/vnd.ms-fontobject: ["eot"] + application/java-archive: ["jar", "war", "ear"] + application/manifest+json: ["webmanifest"] + application/json: ["json"] + application/mac-binhex40: ["hqx"] + application/msword: ["doc"] + application/pdf: ["pdf"] + application/postscript: ["ps", "eps", "ai"] + application/rtf: ["rtf"] + application/vnd.ms-excel: ["xls"] + application/vnd.ms-powerpoint: ["ppt"] + application/vnd.wap.wmlc: ["wmlc"] + application/vnd.google-earth.kml+xml: ["kml"] + application/vnd.google-earth.kmz: ["kmz"] + application/x-7z-compressed: ["7z"] + application/x-cocoa: ["cco"] + application/x-java-archive-diff: ["jardiff"] + application/x-java-jnlp-file: ["jnlp"] + application/x-makeself: ["run"] + application/x-perl: ["pl", "pm"] + application/x-pilot: ["prc", "pdb"] + application/x-rar-compressed: ["rar"] + application/x-redhat-package-manager: ["rpm"] + application/x-sea: ["sea"] + application/x-shockwave-flash: ["swf"] + application/x-stuffit: ["sit"] + application/x-tcl: ["tcl", "tk"] + application/x-x509-ca-cert: ["der", "pem", "crt"] + application/x-xpinstall: ["xpi"] + application/xhtml+xml: ["xhtml"] + application/zip: ["zip"] + application/octet-stream: ["bin", "exe", "dll", "deb", "dmg", "iso", "img", "msi", "msp", "msm"] + application/ogg: ["ogx"] + audio/midi: ["mid", "midi", "kar"] + audio/mpeg: ["mpga", "mpega", "mp2", "mp3", "m4a"] + audio/ogg: ["oga", "ogg", "spx"] + audio/x-realaudio: ["ra"] + audio/webm: ["weba"] + video/3gpp: ["3gpp", "3gp"] + video/mp4: ["mp4"] + video/mpeg: ["mpeg", "mpg", "mpe"] + video/ogg: ["ogv"] + video/quicktime: ["mov"] + video/webm: ["webm"] + video/x-flv: ["flv"] + video/x-mng: ["mng"] + video/x-ms-asf: ["asx", "asf"] + video/x-ms-wmv: ["wmv"] + video/x-msvideo: ["avi"] + proxy_buffer_size: 512k proxy_buffers: "8 256k" client_body_buffer_size: 512k diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index afce9a655..54f3905dc 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -112,6 +112,14 @@ when: - _nginx_cloudwatch_dir.stat.isdir is defined and _nginx_cloudwatch_dir.stat.isdir +- name: Update nginx mime.types + ansible.builtin.template: + src: mime.types.j2 + dest: /etc/nginx/mime.types + owner: root + group: root + mode: 0644 + - name: Generate domain specific configuration. ansible.builtin.include_tasks: domain.yml with_items: "{{ nginx.domains }}" diff --git a/roles/debian/nginx/templates/mime.types.j2 b/roles/debian/nginx/templates/mime.types.j2 new file mode 100644 index 000000000..f3f27da19 --- /dev/null +++ b/roles/debian/nginx/templates/mime.types.j2 @@ -0,0 +1,6 @@ +# This file is generated from Ansible template +types { +{% for mime_type, extensions in nginx.http.mime_types.items() %} + {{ mime_type }} {{ extensions | join(" ") }}; +{% endfor %} +} From 78d9859fbe9c26dd8e0d458bce4ae277b506d7b3 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:14:26 +0200 Subject: [PATCH 162/331] Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable --- docs/roles/debian/nginx.md | 73 ++++++++++++++++++++++++++++ docs/roles/debian/user_ansible.md | 2 +- docs/roles/debian/wazuh.md | 1 + roles/debian/nginx/README.md | 73 ++++++++++++++++++++++++++++ roles/debian/user_ansible/README.md | 2 +- roles/debian/wazuh/README.md | 1 + roles/debian/wazuh/defaults/main.yml | 1 + roles/debian/wazuh/tasks/main.yml | 3 +- 8 files changed, 153 insertions(+), 3 deletions(-) diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 2f7eade5d..87b1a76dd 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -47,6 +47,79 @@ nginx: - application/x-font-opentype - image/svg+xml - image/x-icon + mime_types: + text/html: ["html", "htm", "shtml"] + text/css: ["css"] + text/xml: ["xml", "rss"] + image/gif: ["gif"] + image/jpeg: ["jpeg", "jpg"] + application/x-javascript: ["js"] + application/atom+xml: ["atom"] + text/mathml: ["mml"] + text/plain: ["txt"] + text/vnd.sun.j2me.app-descriptor: ["jad"] + text/vnd.wap.wml: ["wml"] + text/x-component: ["htc"] + image/png: ["png"] + image/tiff: ["tif", "tiff"] + image/vnd.wap.wbmp: ["wbmp"] + image/x-icon: ["ico"] + image/x-jng: ["jng"] + image/x-ms-bmp: ["bmp"] + image/svg+xml: ["svg", "svgz"] + font/ttf: ["ttf"] + font/opentype: ["otf"] + application/font-woff: ["woff"] + application/vnd.ms-fontobject: ["eot"] + application/java-archive: ["jar", "war", "ear"] + application/manifest+json: ["webmanifest"] + application/json: ["json"] + application/mac-binhex40: ["hqx"] + application/msword: ["doc"] + application/pdf: ["pdf"] + application/postscript: ["ps", "eps", "ai"] + application/rtf: ["rtf"] + application/vnd.ms-excel: ["xls"] + application/vnd.ms-powerpoint: ["ppt"] + application/vnd.wap.wmlc: ["wmlc"] + application/vnd.google-earth.kml+xml: ["kml"] + application/vnd.google-earth.kmz: ["kmz"] + application/x-7z-compressed: ["7z"] + application/x-cocoa: ["cco"] + application/x-java-archive-diff: ["jardiff"] + application/x-java-jnlp-file: ["jnlp"] + application/x-makeself: ["run"] + application/x-perl: ["pl", "pm"] + application/x-pilot: ["prc", "pdb"] + application/x-rar-compressed: ["rar"] + application/x-redhat-package-manager: ["rpm"] + application/x-sea: ["sea"] + application/x-shockwave-flash: ["swf"] + application/x-stuffit: ["sit"] + application/x-tcl: ["tcl", "tk"] + application/x-x509-ca-cert: ["der", "pem", "crt"] + application/x-xpinstall: ["xpi"] + application/xhtml+xml: ["xhtml"] + application/zip: ["zip"] + application/octet-stream: ["bin", "exe", "dll", "deb", "dmg", "iso", "img", "msi", "msp", "msm"] + application/ogg: ["ogx"] + audio/midi: ["mid", "midi", "kar"] + audio/mpeg: ["mpga", "mpega", "mp2", "mp3", "m4a"] + audio/ogg: ["oga", "ogg", "spx"] + audio/x-realaudio: ["ra"] + audio/webm: ["weba"] + video/3gpp: ["3gpp", "3gp"] + video/mp4: ["mp4"] + video/mpeg: ["mpeg", "mpg", "mpe"] + video/ogg: ["ogv"] + video/quicktime: ["mov"] + video/webm: ["webm"] + video/x-flv: ["flv"] + video/x-mng: ["mng"] + video/x-ms-asf: ["asx", "asf"] + video/x-ms-wmv: ["wmv"] + video/x-msvideo: ["avi"] + proxy_buffer_size: 512k proxy_buffers: "8 256k" client_body_buffer_size: 512k diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md index 397d4318f..117adcd08 100644 --- a/docs/roles/debian/user_ansible.md +++ b/docs/roles/debian/user_ansible.md @@ -20,7 +20,7 @@ user_ansible: # gid: 999 # Local username of the deploy user. utility_host: "localhost" - utility_username: "" + utility_username: "{{ _user_ansible_username }}" sudoer: false # List of additional groups to add the user to. diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index 5bb89b58c..7f4234057 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -94,6 +94,7 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 + wazuh_manager_whitelist: 1.1.1.1 agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 2f7eade5d..87b1a76dd 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -47,6 +47,79 @@ nginx: - application/x-font-opentype - image/svg+xml - image/x-icon + mime_types: + text/html: ["html", "htm", "shtml"] + text/css: ["css"] + text/xml: ["xml", "rss"] + image/gif: ["gif"] + image/jpeg: ["jpeg", "jpg"] + application/x-javascript: ["js"] + application/atom+xml: ["atom"] + text/mathml: ["mml"] + text/plain: ["txt"] + text/vnd.sun.j2me.app-descriptor: ["jad"] + text/vnd.wap.wml: ["wml"] + text/x-component: ["htc"] + image/png: ["png"] + image/tiff: ["tif", "tiff"] + image/vnd.wap.wbmp: ["wbmp"] + image/x-icon: ["ico"] + image/x-jng: ["jng"] + image/x-ms-bmp: ["bmp"] + image/svg+xml: ["svg", "svgz"] + font/ttf: ["ttf"] + font/opentype: ["otf"] + application/font-woff: ["woff"] + application/vnd.ms-fontobject: ["eot"] + application/java-archive: ["jar", "war", "ear"] + application/manifest+json: ["webmanifest"] + application/json: ["json"] + application/mac-binhex40: ["hqx"] + application/msword: ["doc"] + application/pdf: ["pdf"] + application/postscript: ["ps", "eps", "ai"] + application/rtf: ["rtf"] + application/vnd.ms-excel: ["xls"] + application/vnd.ms-powerpoint: ["ppt"] + application/vnd.wap.wmlc: ["wmlc"] + application/vnd.google-earth.kml+xml: ["kml"] + application/vnd.google-earth.kmz: ["kmz"] + application/x-7z-compressed: ["7z"] + application/x-cocoa: ["cco"] + application/x-java-archive-diff: ["jardiff"] + application/x-java-jnlp-file: ["jnlp"] + application/x-makeself: ["run"] + application/x-perl: ["pl", "pm"] + application/x-pilot: ["prc", "pdb"] + application/x-rar-compressed: ["rar"] + application/x-redhat-package-manager: ["rpm"] + application/x-sea: ["sea"] + application/x-shockwave-flash: ["swf"] + application/x-stuffit: ["sit"] + application/x-tcl: ["tcl", "tk"] + application/x-x509-ca-cert: ["der", "pem", "crt"] + application/x-xpinstall: ["xpi"] + application/xhtml+xml: ["xhtml"] + application/zip: ["zip"] + application/octet-stream: ["bin", "exe", "dll", "deb", "dmg", "iso", "img", "msi", "msp", "msm"] + application/ogg: ["ogx"] + audio/midi: ["mid", "midi", "kar"] + audio/mpeg: ["mpga", "mpega", "mp2", "mp3", "m4a"] + audio/ogg: ["oga", "ogg", "spx"] + audio/x-realaudio: ["ra"] + audio/webm: ["weba"] + video/3gpp: ["3gpp", "3gp"] + video/mp4: ["mp4"] + video/mpeg: ["mpeg", "mpg", "mpe"] + video/ogg: ["ogv"] + video/quicktime: ["mov"] + video/webm: ["webm"] + video/x-flv: ["flv"] + video/x-mng: ["mng"] + video/x-ms-asf: ["asx", "asf"] + video/x-ms-wmv: ["wmv"] + video/x-msvideo: ["avi"] + proxy_buffer_size: 512k proxy_buffers: "8 256k" client_body_buffer_size: 512k diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md index 397d4318f..117adcd08 100644 --- a/roles/debian/user_ansible/README.md +++ b/roles/debian/user_ansible/README.md @@ -20,7 +20,7 @@ user_ansible: # gid: 999 # Local username of the deploy user. utility_host: "localhost" - utility_username: "" + utility_username: "{{ _user_ansible_username }}" sudoer: false # List of additional groups to add the user to. diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index 5bb89b58c..7f4234057 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -94,6 +94,7 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 + wazuh_manager_whitelist: 1.1.1.1 agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index d4c131e68..d614bc565 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -83,6 +83,7 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 + wazuh_manager_globals: 1.1.1.1 agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 6a4ba793d..3a4924cc9 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -57,6 +57,7 @@ wazuh_manager_email_queue_size: "{{ wazuh.manager.wazuh_manager_email_queue_size }}" wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" + wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" @@ -110,4 +111,4 @@ ansible_shell_allow_world_readable_temp: true wazuh_agent_sources_installation: enabled: true - when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled \ No newline at end of file + when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled From f52aeaf89049cdb97fc20e789720989a3a369785 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:37:01 +0200 Subject: [PATCH 163/331] Updating-wazuh-vars (#1777) --- roles/debian/wazuh/defaults/main.yml | 14 +++++++++++++- roles/debian/wazuh/tasks/main.yml | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index d614bc565..6deee76fd 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -83,7 +83,19 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 - wazuh_manager_globals: 1.1.1.1 + wazuh_manager_active_responses: + - command: "firewall-drop" + location: "all" + rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" + repeated_offenders: "30,60,120" + timeout: 600 + - command: "firewall-drop" + location: "all" + rules_id: "100205" + repeated_offenders: "30,60,120" + timeout: 3600 + wazuh_manager_globals: + - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 3a4924cc9..e96550727 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -58,6 +58,7 @@ wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" + wazuh_manager_active_responses: "{{ wazuh.manager.wazuh_manager_active_responses }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From c1601ebba3ced764b62071271dfdfef046d27ee8 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 25 Jun 2024 12:06:59 +0100 Subject: [PATCH 164/331] add community.postgresql collection and remove varnish master release (#1779) --- roles/debian/ce_provision/meta/requirements-11.yml | 2 +- roles/debian/ce_provision/meta/requirements-12.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/ce_provision/meta/requirements-11.yml b/roles/debian/ce_provision/meta/requirements-11.yml index dfaf710a3..1e968332c 100644 --- a/roles/debian/ce_provision/meta/requirements-11.yml +++ b/roles/debian/ce_provision/meta/requirements-11.yml @@ -6,11 +6,11 @@ collections: - name: community.sops - name: community.aws - name: community.general + - name: community.postgresql - name: amazon.aws roles: - name: geerlingguy.varnish - version: "3.3.1" # bad release, remove later when 'master' is gone from here: https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/varnish/ - name: geerlingguy.firewall - name: geerlingguy.composer - name: geerlingguy.clamav diff --git a/roles/debian/ce_provision/meta/requirements-12.yml b/roles/debian/ce_provision/meta/requirements-12.yml index dfaf710a3..1e968332c 100644 --- a/roles/debian/ce_provision/meta/requirements-12.yml +++ b/roles/debian/ce_provision/meta/requirements-12.yml @@ -6,11 +6,11 @@ collections: - name: community.sops - name: community.aws - name: community.general + - name: community.postgresql - name: amazon.aws roles: - name: geerlingguy.varnish - version: "3.3.1" # bad release, remove later when 'master' is gone from here: https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/varnish/ - name: geerlingguy.firewall - name: geerlingguy.composer - name: geerlingguy.clamav From 1dd7153dde616b8b8441f8f0e6771350c4ce7d76 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:08:08 +0200 Subject: [PATCH 165/331] Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars --- roles/debian/wazuh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index e96550727..0bcdab5a2 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -58,7 +58,7 @@ wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" - wazuh_manager_active_responses: "{{ wazuh.manager.wazuh_manager_active_responses }}" + wazuh_manager_active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From 1644e8b057807f0dab5ec32d0223eb5a9b61596c Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:40:34 +0200 Subject: [PATCH 166/331] Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x --- roles/debian/wazuh/defaults/main.yml | 23 ++++++++++++----------- roles/debian/wazuh/tasks/main.yml | 2 +- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 6deee76fd..d90f17991 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -83,17 +83,18 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 - wazuh_manager_active_responses: - - command: "firewall-drop" - location: "all" - rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" - repeated_offenders: "30,60,120" - timeout: 600 - - command: "firewall-drop" - location: "all" - rules_id: "100205" - repeated_offenders: "30,60,120" - timeout: 3600 + wazuh_manager_config: + active_responses: + - command: "firewall-drop" + location: "all" + rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" + repeated_offenders: "30,60,120" + timeout: 600 + - command: "firewall-drop" + location: "all" + rules_id: "100205" + repeated_offenders: "30,60,120" + timeout: 3600 wazuh_manager_globals: - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 0bcdab5a2..e810b026a 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -58,7 +58,7 @@ wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" - wazuh_manager_active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" + wazuh_manager_config.active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From 29c8f530fb24fd4a9af897c0c0c52141edc944b7 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:53:02 +0200 Subject: [PATCH 167/331] Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline --- roles/debian/wazuh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index e810b026a..32e2e8ac3 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -58,7 +58,7 @@ wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" - wazuh_manager_config.active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" + wazuh_manager_config_active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From 2645a534973c7af551ef1acb760ad70bef91872c Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 25 Jun 2024 14:45:15 +0200 Subject: [PATCH 168/331] Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars --- roles/debian/wazuh/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 32e2e8ac3..c7f867c01 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -58,7 +58,8 @@ wazuh_manager_email_log_source: "{{ wazuh.manager.wazuh_manager_email_log_source }}" wazuh_manager_log_level: "{{ wazuh.manager.wazuh_manager_log_level }}" wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" - wazuh_manager_config_active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" + wazuh_manager_config: + active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From da8e9096a57d520305d717f5c96d1c3efb3be711 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Wed, 26 Jun 2024 13:51:06 +0100 Subject: [PATCH 169/331] r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role --- roles/debian/mattermost/defaults/main.yml | 3 + roles/debian/mattermost/handlers/main.yml | 10 +++ roles/debian/mattermost/tasks/main.yml | 73 +++++++++++++++++++ .../templates/mattermost_service.j2 | 20 +++++ 4 files changed, 106 insertions(+) create mode 100644 roles/debian/mattermost/defaults/main.yml create mode 100644 roles/debian/mattermost/handlers/main.yml create mode 100644 roles/debian/mattermost/tasks/main.yml create mode 100644 roles/debian/mattermost/templates/mattermost_service.j2 diff --git a/roles/debian/mattermost/defaults/main.yml b/roles/debian/mattermost/defaults/main.yml new file mode 100644 index 000000000..747520daf --- /dev/null +++ b/roles/debian/mattermost/defaults/main.yml @@ -0,0 +1,3 @@ +--- +mattermost: + version: 9.8.0 # 9.8.0 is current version (tarball) of team edition diff --git a/roles/debian/mattermost/handlers/main.yml b/roles/debian/mattermost/handlers/main.yml new file mode 100644 index 000000000..ac7b6cdeb --- /dev/null +++ b/roles/debian/mattermost/handlers/main.yml @@ -0,0 +1,10 @@ +- name: Reload systemd units and Restart Mattermost. + ansible.builtin.systemd_service: + state: restarted + daemon_reload: true + name: mattermost + +- name: Reload PostgreSQL. + ansible.builtin.systemd_service: + state: reloaded + name: postgresql diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml new file mode 100644 index 000000000..4dddc1a21 --- /dev/null +++ b/roles/debian/mattermost/tasks/main.yml @@ -0,0 +1,73 @@ +--- +- name: Create a new database for mattermost. + community.postgresql.postgresql_db: + name: mattermost + comment: Mattermost Database + notify: Reload PostgreSQL. + +- name: Connect to mattermost database, create mattermost user, and grant access to database. + community.postgresql.postgresql_user: + db: mattermost + name: mmuser + password: "{{ _encrypted_mattermost_postgresql_pass }}" + notify: Reload PostgreSQL. + +- name: GRANT ALL PRIVILEGES ON DATABASE mattermost TO mattermost + community.postgresql.postgresql_privs: + db: postgres + privs: ALL + type: database + obj: mattermost + role: mmuser + notify: Reload PostgreSQL. + +- name: Check if we already have Mattermost installed. + ansible.builtin.stat: + path: "/opt/mattermost/bin/mattermost" + register: mattermost_bin + +- name: Check if Mattermost data directory exists. + ansible.builtin.stat: + path: "/opt/mattermost/data" + register: mattermost_data + +- name: "Fetch and extract Mattermost team version {{ mattermost.version }}." + ansible.builtin.unarchive: + src: "https://releases.mattermost.com/{{ mattermost.version }}/mattermost-team-{{ mattermost.version }}-linux-amd64.tar.gz" + dest: /opt + remote_src: true + when: + - not mattermost_bin.stat.exists + +- name: Create Mattermost data directory. + ansible.builtin.file: + path: /opt/mattermost/data + state: directory + mode: '0755' + when: + - not mattermost_data.stat.exists + +- name: Create mattermost user. + ansible.builtin.user: + name: mattermost + group: mattermost + system: true + +- name: Recursively set ownership of mattermost directory. + ansible.builtin.file: + path: /opt/mattermost + state: directory + recurse: true + owner: mattermost + group: mattermost + mode: g+w + +- name: Copy Mattermost systemd service def. + ansible.builtin.template: + src: "mattermost_service.j2" + dest: "/lib/systemd/system/mattermost.service" + owner: root + group: root + mode: 0644 + force: true + notify: Reload systemd units and Restart Mattermost. diff --git a/roles/debian/mattermost/templates/mattermost_service.j2 b/roles/debian/mattermost/templates/mattermost_service.j2 new file mode 100644 index 000000000..c63507739 --- /dev/null +++ b/roles/debian/mattermost/templates/mattermost_service.j2 @@ -0,0 +1,20 @@ +[Unit] +Description=Mattermost +After=network.target +After=postgresql.service +BindsTo=postgresql.service + +[Service] +Type=notify +ExecStart=/opt/mattermost/bin/mattermost +TimeoutStartSec=3600 +KillMode=mixed +Restart=always +RestartSec=10 +WorkingDirectory=/opt/mattermost +User=mattermost +Group=mattermost +LimitNOFILE=49152 + +[Install] +WantedBy=multi-user.target From 1d52a29585b6a666079c276d636c4155530aea5b Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Thu, 27 Jun 2024 10:10:51 +0100 Subject: [PATCH 170/331] r68065 install python psycopg2 (#1791) --- roles/debian/mattermost/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml index 4dddc1a21..d14364307 100644 --- a/roles/debian/mattermost/tasks/main.yml +++ b/roles/debian/mattermost/tasks/main.yml @@ -1,4 +1,13 @@ --- +# Install Python applications. +- name: Manage required pip packages. + ansible.builtin.include_role: + name: debian/python_pip_packages + vars: + python_pip_packages: + packages: + - name: psycopg2 + - name: Create a new database for mattermost. community.postgresql.postgresql_db: name: mattermost From f9356599b7f9b24b332dc557a820f43e3e86d13b Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Thu, 27 Jun 2024 11:19:29 +0100 Subject: [PATCH 171/331] r68065 use psycopg binary package as compiling creates depsolve issues (#1793) --- roles/debian/mattermost/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml index d14364307..cd25b2e09 100644 --- a/roles/debian/mattermost/tasks/main.yml +++ b/roles/debian/mattermost/tasks/main.yml @@ -6,7 +6,7 @@ vars: python_pip_packages: packages: - - name: psycopg2 + - name: psycopg2-binary - name: Create a new database for mattermost. community.postgresql.postgresql_db: From 996f67cbbbdbf63c450644cf9e4bc8030141a585 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Thu, 27 Jun 2024 12:41:52 +0100 Subject: [PATCH 172/331] permissions for postgres setup (#1795) --- roles/debian/mattermost/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml index cd25b2e09..73522b089 100644 --- a/roles/debian/mattermost/tasks/main.yml +++ b/roles/debian/mattermost/tasks/main.yml @@ -12,6 +12,8 @@ community.postgresql.postgresql_db: name: mattermost comment: Mattermost Database + become_user: postgres + become: true notify: Reload PostgreSQL. - name: Connect to mattermost database, create mattermost user, and grant access to database. @@ -19,6 +21,8 @@ db: mattermost name: mmuser password: "{{ _encrypted_mattermost_postgresql_pass }}" + become_user: postgres + become: true notify: Reload PostgreSQL. - name: GRANT ALL PRIVILEGES ON DATABASE mattermost TO mattermost @@ -28,6 +32,8 @@ type: database obj: mattermost role: mmuser + become_user: postgres + become: true notify: Reload PostgreSQL. - name: Check if we already have Mattermost installed. From bcb83833221fd698b07b920263e3d157b3a9ecea Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Thu, 27 Jun 2024 13:25:22 +0100 Subject: [PATCH 173/331] r68065 add mattermost group before user (#1797) --- roles/debian/mattermost/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml index 73522b089..665e400d1 100644 --- a/roles/debian/mattermost/tasks/main.yml +++ b/roles/debian/mattermost/tasks/main.yml @@ -62,6 +62,12 @@ when: - not mattermost_data.stat.exists +- name: Create mattermost group. + ansible.builtin.group: + name: mattermost + system: true + state: present + - name: Create mattermost user. ansible.builtin.user: name: mattermost From c7e68a5b2c3bda1de5460df0848fa61d9324f630 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 1 Jul 2024 10:42:57 +0200 Subject: [PATCH 174/331] Updating-duplicity (#1804) --- roles/debian/duplicity/templates/duplicity_backup-b2.j2 | 2 +- roles/debian/duplicity/templates/duplicity_backup-s3.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/duplicity/templates/duplicity_backup-b2.j2 b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 index d819090c2..f7480a33e 100644 --- a/roles/debian/duplicity/templates/duplicity_backup-b2.j2 +++ b/roles/debian/duplicity/templates/duplicity_backup-b2.j2 @@ -25,7 +25,7 @@ REMOVE_OLDER_THAN="{{ duplicity.retention_period }}" # Args to pass to duplicity {% if duplicity.exclude_other_filesystems %} -backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30" +backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30 --allow-source-mismatch" {% else %} backup_options="--full-if-older-than $FULL_BACKUPS --num-retries=30" {% endif %} diff --git a/roles/debian/duplicity/templates/duplicity_backup-s3.j2 b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 index 0a8fd0d64..b5bd1c670 100644 --- a/roles/debian/duplicity/templates/duplicity_backup-s3.j2 +++ b/roles/debian/duplicity/templates/duplicity_backup-s3.j2 @@ -25,7 +25,7 @@ REMOVE_OLDER_THAN="{{ duplicity.retention_period }}" # Args to pass to duplicity {% if duplicity.exclude_other_filesystems %} -backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30 {{ duplicity.s3_options }}" +backup_options="--full-if-older-than $FULL_BACKUPS --exclude-other-filesystems --num-retries=30 {{ duplicity.s3_options }} --allow-source-mismatch" {% else %} backup_options="--full-if-older-than $FULL_BACKUPS --num-retries=30 {{ duplicity.s3_options }}" {% endif %} From 69e741ca3af16997631c848757393e55128f59d0 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:58:02 +0200 Subject: [PATCH 175/331] enable mattermost systemd unit (#1810) --- roles/debian/mattermost/handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian/mattermost/handlers/main.yml b/roles/debian/mattermost/handlers/main.yml index ac7b6cdeb..f6b99deea 100644 --- a/roles/debian/mattermost/handlers/main.yml +++ b/roles/debian/mattermost/handlers/main.yml @@ -1,6 +1,7 @@ - name: Reload systemd units and Restart Mattermost. ansible.builtin.systemd_service: state: restarted + enabled: true daemon_reload: true name: mattermost From 8694d1f53d2b776c5a93a72a839dc23d11bf254f Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 2 Jul 2024 17:27:14 +0200 Subject: [PATCH 176/331] nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type --- .../debian/mattermost/templates/mattermost.j2 | 55 +++++++++++++++++++ roles/debian/nginx/tasks/main.yml | 1 + 2 files changed, 56 insertions(+) create mode 100644 roles/debian/mattermost/templates/mattermost.j2 diff --git a/roles/debian/mattermost/templates/mattermost.j2 b/roles/debian/mattermost/templates/mattermost.j2 new file mode 100644 index 000000000..e809a0434 --- /dev/null +++ b/roles/debian/mattermost/templates/mattermost.j2 @@ -0,0 +1,55 @@ +## SSL +ssl on; +ssl_session_timeout 1d; +# Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC). +ssl_protocols TLSv1.2 TLSv1.3; +# Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to +# prevent replay attacks. +# @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data +ssl_early_data on; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384'; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:50m; +# HSTS (ngx_http_headers_module is required) (15768000 seconds = six months) +add_header Strict-Transport-Security max-age=15768000; +# OCSP Stapling --- +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; +add_header X-Early-Data $tls1_3_early_data; + +location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60s; + send_timeout 300s; + lingering_timeout 5s; + proxy_connect_timeout 90s; + proxy_send_timeout 300s; + proxy_read_timeout 90s; + proxy_http_version 1.1; + proxy_pass http://mattermost; +} + +location / { + client_max_body_size 100M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_http_version 1.1; + proxy_pass http://mattermost; +} diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 54f3905dc..85c720068 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -74,6 +74,7 @@ - drupal10 - flat - matomo + - mattermost - mautic - proxy - simplesamlphp From e6637ca14d281aee69b75ad7d3083f192bc0510c Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 2 Jul 2024 17:52:03 +0200 Subject: [PATCH 177/331] ssl on handled by nginx role (#1814) --- roles/debian/mattermost/templates/mattermost.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/debian/mattermost/templates/mattermost.j2 b/roles/debian/mattermost/templates/mattermost.j2 index e809a0434..4582dd1e2 100644 --- a/roles/debian/mattermost/templates/mattermost.j2 +++ b/roles/debian/mattermost/templates/mattermost.j2 @@ -1,5 +1,4 @@ ## SSL -ssl on; ssl_session_timeout 1d; # Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC). ssl_protocols TLSv1.2 TLSv1.3; From bcde5ae021c6f54ffba09e9279a712b12a17caf4 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Wed, 3 Jul 2024 10:12:10 +0200 Subject: [PATCH 178/331] fix mattermost nginx include (#1822) --- roles/debian/{mattermost => nginx}/templates/mattermost.j2 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/debian/{mattermost => nginx}/templates/mattermost.j2 (100%) diff --git a/roles/debian/mattermost/templates/mattermost.j2 b/roles/debian/nginx/templates/mattermost.j2 similarity index 100% rename from roles/debian/mattermost/templates/mattermost.j2 rename to roles/debian/nginx/templates/mattermost.j2 From be379a563a009a1278303529c16dea2f1d960570 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Wed, 3 Jul 2024 13:21:45 +0200 Subject: [PATCH 179/331] remove unsupported nginx option (#1824) --- roles/debian/nginx/templates/mattermost.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/nginx/templates/mattermost.j2 b/roles/debian/nginx/templates/mattermost.j2 index 4582dd1e2..0942bb28c 100644 --- a/roles/debian/nginx/templates/mattermost.j2 +++ b/roles/debian/nginx/templates/mattermost.j2 @@ -15,7 +15,7 @@ add_header Strict-Transport-Security max-age=15768000; # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; -add_header X-Early-Data $tls1_3_early_data; +#add_header X-Early-Data $tls1_3_early_data; location ~ /api/v[0-9]+/(users/)?websocket$ { proxy_set_header Upgrade $http_upgrade; From a58040d29522802f56e43e4e3ac5ee4b1992585a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 8 Jul 2024 11:42:33 +0200 Subject: [PATCH 180/331] Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/backup_plan.yml | 19 ++- roles/aws/aws_backup/tasks/main.yml | 9 ++ roles/aws/aws_backup/tasks/resource.yml | 16 ++ .../aws_backup_validation/defaults/main.yml | 11 ++ .../files/pass_role_backup.j2 | 12 ++ .../files/trusted_entitites.j2 | 12 ++ .../aws/aws_backup_validation/tasks/main.yml | 105 +++++++++++++ .../templates/EC2_validation.py.j2 | 144 ++++++++++++++++++ .../templates/RDS_validation.py.j2 | 124 +++++++++++++++ roles/aws/aws_resource_group/tasks/main.yml | 7 +- 10 files changed, 454 insertions(+), 5 deletions(-) create mode 100644 roles/aws/aws_backup_validation/defaults/main.yml create mode 100644 roles/aws/aws_backup_validation/files/pass_role_backup.j2 create mode 100644 roles/aws/aws_backup_validation/files/trusted_entitites.j2 create mode 100644 roles/aws/aws_backup_validation/tasks/main.yml create mode 100644 roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 create mode 100644 roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 diff --git a/roles/aws/aws_backup/tasks/backup_plan.yml b/roles/aws/aws_backup/tasks/backup_plan.yml index e808482e2..b79dee05c 100644 --- a/roles/aws/aws_backup/tasks/backup_plan.yml +++ b/roles/aws/aws_backup/tasks/backup_plan.yml @@ -41,7 +41,24 @@ register: _backup_plan_created_info when: _backup_plan_created is defined +- name: Check if the restore testing plan exists. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_exists + +- name: Create restore testing plan if it doesn't exist. + ansible.builtin.command: > + aws backup create-restore-testing-plan --restore-testing-plan "RestoreTestingPlanName={{ plan.name | replace('-', '_') }},RecoveryPointSelection={Algorithm=LATEST_WITHIN_WINDOW,RecoveryPointTypes=[\"SNAPSHOT\"],IncludeVaults=[\"{{ _vault_info.stdout | from_json | json_query('BackupVaultArn') }}\"]},ScheduleExpression=\"cron(0 0 ? * SUN *)\"" --region {{ _aws_region }} + register: _testing_plan_created + when: _testing_plan_exists.stdout == "null" + +- name: Get info about newly created restore testing plan. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" + register: _testing_plan_created_info + when: _testing_plan_created is defined + - name: Tidy up and remove the yaml input file. ansible.builtin.file: path: "/tmp/aws_backup/{{ _infra_name }}/{{ plan.name }}-backup-yaml-input.yml" - state: absent \ No newline at end of file + state: absent diff --git a/roles/aws/aws_backup/tasks/main.yml b/roles/aws/aws_backup/tasks/main.yml index 75a039d64..b96202953 100644 --- a/roles/aws/aws_backup/tasks/main.yml +++ b/roles/aws/aws_backup/tasks/main.yml @@ -28,6 +28,11 @@ - aws_backup.vault.encryption_key != "Default" - _vault_exists.stdout == "null" +- name: Get the backup vault info. + ansible.builtin.command: > + aws backup list-backup-vaults --region {{ _aws_region }} --query "BackupVaultList[?BackupVaultName=='{{ aws_backup.vault.name }}'] | [0]" --output json + register: _vault_info + - name: Create off-site backup vault without user-provided KMS key. ansible.builtin.command: > aws backup create-backup-vault --backup-vault-name {{ aws_backup.copy_vault.name }} --region {{ aws_backup.copy_vault.region }} @@ -60,3 +65,7 @@ loop_control: loop_var: plan when: aws_backup.plans | length + +- name: Include backup validation role. + ansible.builtin.include_role: + name: aws/aws_backup_validation diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index c0c7277cf..95994cc70 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -4,6 +4,11 @@ aws backup list-backup-plans --region {{ _aws_region }} --query "BackupPlansList[?BackupPlanName=='{{ backup.backup_plan_name }}'] | [0]" --output json register: _backup_plan_info +- name: Get restore testing plan info. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ backup.backup_plan_name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_info + - name: Gather AWS account ID if it isn't already set. amazon.aws.aws_caller_info: profile: "{{ _aws_profile }}" @@ -59,3 +64,14 @@ ansible.builtin.command: > aws backup create-backup-selection --backup-plan-id {{ _backup_plan_info.stdout | from_json | json_query('BackupPlanId') }} --backup-selection "{\"SelectionName\":\"{{ backup.selection_name }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"Resources\":[\"{{ _resource_arn }}\"]}" --region {{ _aws_region }} when: _selection_exists.stdout | length == 0 + +- name: Check if the restore testing selection exists. + ansible.builtin.command: > + aws backup list-restore-testing-selections --restore-testing-plan-name {{ _testing_plan_info.stdout | from_json | json_query('RestoreTestingPlanName') }} --query "RestoreTestingSelections[?RestoreTestingSelectionName=='{{ backup.selection_name | replace('-', '_') }}'].RestoreTestingSelectionName" --output text --region {{ _aws_region }} + register: _testing_selection_exists + when: _testing_plan_info.stdout != "null" + +- name: Assign resource to AWS restore testing plan. + ansible.builtin.command: > + aws backup create-restore-testing-selection --restore-testing-plan-name {{ _testing_plan_info.stdout | from_json | json_query('RestoreTestingPlanName') }} --restore-testing-selection "{\"RestoreTestingSelectionName\":\"{{ backup.selection_name | replace('-', '_') }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"ProtectedResourceArns\":[\"{{ _resource_arn }}\"],\"ProtectedResourceType\":\"{{ backup.selection_name.split('-')[0] }}\",\"ValidationWindowHours\":1}" --region {{ _aws_region }} + when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 diff --git a/roles/aws/aws_backup_validation/defaults/main.yml b/roles/aws/aws_backup_validation/defaults/main.yml new file mode 100644 index 000000000..ae70325f3 --- /dev/null +++ b/roles/aws/aws_backup_validation/defaults/main.yml @@ -0,0 +1,11 @@ +--- +aws_backup_validation: + name: 'RestoreValidation' + description: 'Restore validation for' + timeout: 60 + runtime: python3.12 + handler: "lambda_handler" + resources: + - EC2 + - RDS + #- EFS diff --git a/roles/aws/aws_backup_validation/files/pass_role_backup.j2 b/roles/aws/aws_backup_validation/files/pass_role_backup.j2 new file mode 100644 index 000000000..bf88ea507 --- /dev/null +++ b/roles/aws/aws_backup_validation/files/pass_role_backup.j2 @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "backup.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/roles/aws/aws_backup_validation/files/trusted_entitites.j2 b/roles/aws/aws_backup_validation/files/trusted_entitites.j2 new file mode 100644 index 000000000..fb84ae9de --- /dev/null +++ b/roles/aws/aws_backup_validation/files/trusted_entitites.j2 @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml new file mode 100644 index 000000000..3e45d2d91 --- /dev/null +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: Create a role and attach policies + amazon.aws.iam_role: + name: LambdaBackupRestoreRole + assume_role_policy_document: "{{ lookup('file','trusted_entitites.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/AmazonEC2FullAccess + - arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy + - arn:aws:iam::aws:policy/AmazonRDSFullAccess + - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess + register: _created_iam_lambda_role + +- name: Create an IAM Managed Policy for passing roles + amazon.aws.iam_managed_policy: + policy_name: "PassRole" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "iam:PassRole" + Resource: "*" + state: present + register: _pass_role + +- name: Update AWSBackupDefaultServiceRole + amazon.aws.iam_role: + name: AWSBackupDefaultServiceRole + assume_role_policy_document: "{{ lookup('file','pass_role_backup.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores + - "{{ _pass_role.policy.arn }}" + +- name: Sleep for 20 seconds for IAM before Lambda creation + ansible.builtin.wait_for: + timeout: 20 + +- name: Clean and set python functions + block: + - name: Check and clean any previous Lambda files + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" + state: absent + loop: "{{ aws_backup_validation.resources }}" + + - name: Write Lambda functions + ansible.builtin.template: + src: "{{ item }}_validation.py.j2" + dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" + loop: "{{ aws_backup_validation.resources }}" + + - name: Create a zip archive of Lambda functions + community.general.archive: + path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" + dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" + format: zip + loop: "{{ aws_backup_validation.resources }}" + +- name: Create Lambda functions + amazon.aws.lambda: + name: "{{ aws_backup_validation.name }}_{{ item }}" + description: "{{ aws_backup_validation.description }} {{ item }} new comment to update function" + region: "{{ _aws_region }}" + timeout: "{{ aws_backup_validation.timeout }}" + zip_file: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" + state: present + runtime: "{{ aws_backup_validation.runtime }}" + role: "{{ _created_iam_lambda_role.iam_role.arn }}" + handler: "{{ item }}_validation.{{ aws_backup_validation.handler }}" + tags: + Name: "{{ item }}_backup_validation" + register: _lambda_functions + loop: "{{ aws_backup_validation.resources }}" + +- name: Remove non UTF-8 item + ansible.builtin.set_fact: + _lambda_functions: "{{ _lambda_functions | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}" + +- name: Create EventBridge + amazon.aws.cloudwatchevent_rule: + name: "{{ item.configuration.function_name }}" + description: "{{ item.configuration.description }}" + state: present + region: "{{ _aws_region }}" + event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item.item }}"], "status": ["COMPLETED"] } }' + targets: + - id: "{{ item.configuration.function_name }}" + arn: "{{ (item.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN + register: _event_bridges + loop: "{{ _lambda_functions.results }}" + +- name: Generate unique string + ansible.builtin.set_fact: + _rand_str: "{{ lookup('community.general.random_string', length=8, special=false, min_lower=2, min_numeric=2, min_upper=2) }}" + +- name: Update Lambda policy + amazon.aws.lambda_policy: + state: present + function_name: "{{ item.item.configuration.function_name }}" + statement_id: "{{ item.item.configuration.function_name }}_{{ _rand_str }}" + action: lambda:InvokeFunction + principal: events.amazonaws.com + source_arn: "{{ item.rule.arn }}" + region: "{{ _aws_region }}" + loop: "{{ _event_bridges.results }}" diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 new file mode 100644 index 000000000..6fccac00e --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -0,0 +1,144 @@ +import json +import boto3 +import socket +import time + +# Defining Clients +#s3_cli = boto3.client('s3', region_name='eu-west-2') +backup_cli = boto3.client('backup', region_name="{{ _aws_region }}") +ec2_cli = boto3.client("ec2", region_name="{{ _aws_region }}") +ssm_cli = boto3.client('ssm', region_name="{{ _aws_region }}") +ses_cli = boto3.client('ses', region_name="{{ _aws_region }}") + +# Debugger +#boto3.set_stream_logger('') + +def lambda_handler(event, context): + + mail_title = "" + mail_body = "" + + print("Gathering instance id.") + ec2_instance_id=event['detail']['createdResourceArn'].split("/",1)[1] + + print("Gathering instance details.") + ec2_instances=ec2_cli.describe_instances() + + instance_exist = False + + for reservation in ec2_instances["Reservations"]: + for instance in reservation["Instances"]: + if ec2_instance_id == instance["InstanceId"]: + tags = instance['Tags'] + instance_type = instance["InstanceType"] + private_ip = instance["PrivateIpAddress"] + mail_body = mail_body + "Instance is restored!\n" + instance_exist = True + + if instance_exist: + port = 22 + + print("Gathering instance name.") + instance_name = '' + for tag in tags: + if tag['Key'] == 'Name': + instance_name = tag['Value'] + + print("Testing connection!") + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(5.0) + result = sock.connect_ex((private_ip,port)) + + print(result) + + # If result was not success + if result != 0: + mail_body = mail_body + "Connection on " + str(port) + " is not working, this could be caused by firewall not accepting connections.\n" + else: + mail_body = mail_body + "Connection on " + str(port) + " is working!\n" + + # Check if SSM is set up for instance + ssm_status = ssm_cli.get_connection_status(Target=ec2_instance_id) + + if ssm_status['Status'] == 'connected': + # Run scripts on EC2 + print("Creating script!") + script = """ + echo "Server info:" + hostnamectl + echo "Disk usage:" + df -h + """ + + print("Running command!") + command_response = ssm_cli.send_command( + DocumentName ='AWS-RunShellScript', + Parameters = {'commands': [script]}, + InstanceIds = [ + ec2_instance_id + ] + ) + + print("Gathering commands details!") + time.sleep(10) + c_res = ssm_cli.get_command_invocation( + CommandId=command_response['Command']['CommandId'], + InstanceId=ec2_instance_id + ) + + print(c_res['StandardOutputContent']) + mail_title = "Success: " + instance_name + instance_message = "Instance " + instance_name + " - " + ec2_instance_id + " was restored.\n" + mail_body = mail_body + "SSM is working and these are the details of the instance:\n" + c_res['StandardOutputContent'] + + else: + mail_title = "Warning: " + instance_name + mail_body = mail_body + "SSM is not configured or accessible!\n" + + print("Validating Restore job!") + backup_cli.put_restore_validation_result( + RestoreJobId=event['detail']['restoreJobId'], + ValidationStatus="SUCCESSFUL", + ValidationStatusMessage="" + ) + + else: + print("Validating Restore job!") + backup_cli.put_restore_validation_result( + RestoreJobId=event['detail']['restoreJobId'], + ValidationStatus="FAILED", + ValidationStatusMessage="" + ) + + mail_title = "Failed!" + mail_body = mail_body + "Instance " + ec2_instance_id + " is not running!" + + print("Sending email!") + response = ses_cli.send_email( + Destination={ + 'BccAddresses': [ + ], + 'CcAddresses': [], + 'ToAddresses': [ + 'sysadm@codeenigma.com' + ], + }, + Message={ + 'Body': { + 'Text': { + 'Charset': 'UTF-8', + 'Data': mail_body, + }, + }, + 'Subject': { + 'Charset': 'UTF-8', + 'Data': 'Lambda Backup validation: ' + mail_title, + }, + }, + Source='Lambda Backup Validation ', + ) + + return { + 'statusCode': 200, + 'body': event + } diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 new file mode 100644 index 000000000..a50900756 --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -0,0 +1,124 @@ +import json +import boto3 +import socket +import time + +# Defining Clients +#s3_cli = boto3.client('s3', region_name='eu-west-2') +backup_cli = boto3.client('backup', region_name="{{ _aws_region }}") +ec2_cli = boto3.client("ec2", region_name="{{ _aws_region }}") +rds_cli = boto3.client("rds", region_name="{{ _aws_region }}") +ssm_cli = boto3.client('ssm', region_name="{{ _aws_region }}") +ses_cli = boto3.client('ses', region_name="{{ _aws_region }}") + +# Debugger +#boto3.set_stream_logger('') + +def lambda_handler(event, context): + + mail_title = "" + mail_body = "" + + print("Gathering instance id.") + rds_instance_id=event['detail']['createdResourceArn'].split(":")[-1] + + print(rds_instance_id) + + print("Gathering instance details.") + rds_instance=rds_cli.describe_db_instances( + DBInstanceIdentifier=rds_instance_id + ) + + print("Get instance name with access to RDS") + for tag in rds_instance['DBInstances'][0]['TagList']: + if tag['Key']=='Name': + ec2_with_access=tag['Value'] + + new_endpoint = rds_instance['DBInstances'][0]['Endpoint']['Address'] + + print(ec2_with_access) + + print("Get all instances") + ec2_instances=ec2_cli.describe_instances() + + instance_exist = False + + print("Iterate to get id of EC2") + for reservation in ec2_instances["Reservations"]: + for instance in reservation["Instances"]: + for tag in instance['Tags']: + if ((tag['Key'] == "Name") and (tag['Value'] == ec2_with_access)): + print(tag['Key'] + " - " + tag['Value'] + " - " + instance["InstanceId"]) + ec2_instance_id = instance["InstanceId"] + + print(ec2_instance_id) + + # Run scripts on EC2 + print("Creating script!") + script = """ + old_host={{ '$' }}(grep host /home/deploy/.mysql.creds | awk -F= '{print $2}') + sed 's,old_host,{new_host},g' /home/deploy/.mysql.creds >> /home/deploy/.mysql.creds.tmp + mysql --defaults-file=/home/deploy/.mysql.creds.tmp -e "SELECT table_schema 'DB Name', ROUND(SUM(data_length + index_length) / 1024 / 1024, 1) 'DB Size in MB' FROM information_schema.tables GROUP BY table_schema;" + rm /home/deploy/.mysql.creds.tmp + """.format(new_host=new_endpoint) + + print("Running command!") + command_response = ssm_cli.send_command( + DocumentName ='AWS-RunShellScript', + Parameters = {'commands': [script]}, + InstanceIds = [ + ec2_instance_id + ] + ) + + print("Getting command output.") + time.sleep(30) + c_res = ssm_cli.get_command_invocation( + CommandId=command_response['Command']['CommandId'], + InstanceId=ec2_instance_id + ) + + print(c_res['StandardOutputContent']) + mail_title = "Success: " + ec2_with_access + instance_message = "RDS instance " + ec2_with_access + " was restored.\n" + conn_message = "Able to get information from " + new_endpoint + ":\n" + mail_body=instance_message + conn_message + c_res['StandardOutputContent'] + + print("Validating Restore job!") + backup_cli.put_restore_validation_result( + RestoreJobId=event['detail']['restoreJobId'], + ValidationStatus="SUCCESSFUL", + ValidationStatusMessage="" + ) + + print("Sending email!") + response = ses_cli.send_email( + Destination={ + 'BccAddresses': [ + ], + 'CcAddresses': [], + 'ToAddresses': [ + 'sysadm@codeenigma.com' + ], + }, + Message={ + 'Body': { + 'Text': { + 'Charset': 'UTF-8', + 'Data': mail_body, + }, + }, + 'Subject': { + 'Charset': 'UTF-8', + 'Data': 'Lambda Backup validation: ' + mail_title, + }, + }, + Source='Lambda Backup Validation ', + ) + + print(json.dumps(event)) + + return { + 'statusCode': 200, + 'body': json.dumps(event) + } diff --git a/roles/aws/aws_resource_group/tasks/main.yml b/roles/aws/aws_resource_group/tasks/main.yml index dff5e22bf..b94403bc6 100644 --- a/roles/aws/aws_resource_group/tasks/main.yml +++ b/roles/aws/aws_resource_group/tasks/main.yml @@ -1,8 +1,7 @@ --- - name: Run tasks for environment build ansible.builtin.include_tasks: env_resource_group.yml - when: _aws_resource_name is not defined -#- name: Run tasks for resource build -# ansible.builtin.include_tasks: resource_group.yml -# when: _aws_resource_name is defined +- name: Run tasks for resource build + ansible.builtin.include_tasks: resource_group.yml + when: _aws_resource_name is defined From 21ffa8d4798d801df0e6e3aae139a3ab55cdedd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:13:33 +0200 Subject: [PATCH 181/331] Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar --- docs/_Sidebar.md | 2 ++ docs/roles/aws/aws_backup_validation.md | 25 +++++++++++++++++++ docs/roles/aws/aws_resource_group.md | 7 ++++++ docs/roles/debian/wazuh.md | 15 ++++++++++- roles/aws/aws_backup/tasks/main.yml | 2 +- roles/aws/aws_backup_validation/README.md | 25 +++++++++++++++++++ .../aws_backup_validation/defaults/main.yml | 6 ++--- .../aws/aws_backup_validation/tasks/main.yml | 4 +-- roles/aws/aws_resource_group/README.md | 7 ++++++ roles/debian/wazuh/README.md | 15 ++++++++++- 10 files changed, 100 insertions(+), 8 deletions(-) create mode 100644 docs/roles/aws/aws_backup_validation.md create mode 100644 docs/roles/aws/aws_resource_group.md create mode 100644 roles/aws/aws_backup_validation/README.md create mode 100644 roles/aws/aws_resource_group/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 90b0fc558..e62b94d5b 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -9,6 +9,7 @@ - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup) - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) + - [AWS Backup Validation](/roles/aws/aws_backup_validation) - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) - [Cloudwatch log group](/roles/aws/aws_cloudwatch_log_group) - [Amazon credentials](/roles/aws/aws_credentials) @@ -23,6 +24,7 @@ - [AWS OpenSearch](/roles/aws/aws_opensearch) - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) - [AWS RDS](/roles/aws/aws_rds) + - [AWS Resource Group.](/roles/aws/aws_resource_group) - [AWS S3 Bucket](/roles/aws/aws_s3_bucket) - [AWS Security Groups](/roles/aws/aws_security_groups) - [AWS SNS](/roles/aws/aws_sns) diff --git a/docs/roles/aws/aws_backup_validation.md b/docs/roles/aws/aws_backup_validation.md new file mode 100644 index 000000000..3548fc7b0 --- /dev/null +++ b/docs/roles/aws/aws_backup_validation.md @@ -0,0 +1,25 @@ +# AWS Backup Validation + +Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets triggered by restore testing and Lambda backup validation that will check and notify about the restored instance. + + + + + +## Default variables +```yaml +--- +aws_backup_validation: + name: "RestoreValidation" + description: "Restore validation for" + timeout: 60 + runtime: "python3.12" + handler: "lambda_handler" + resources: + - EC2 + - RDS + #- EFS + +``` + + diff --git a/docs/roles/aws/aws_resource_group.md b/docs/roles/aws/aws_resource_group.md new file mode 100644 index 000000000..116ab32e4 --- /dev/null +++ b/docs/roles/aws/aws_resource_group.md @@ -0,0 +1,7 @@ +# AWS Resource Group. +Creates a Resource Group based on Environment and resource that is getting built. Once the resource group is created, AWS will automatically add or remove resources from groups. + + + + + diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index 7f4234057..1ead6377f 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -94,7 +94,20 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 - wazuh_manager_whitelist: 1.1.1.1 + wazuh_manager_config: + active_responses: + - command: "firewall-drop" + location: "all" + rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" + repeated_offenders: "30,60,120" + timeout: 600 + - command: "firewall-drop" + location: "all" + rules_id: "100205" + repeated_offenders: "30,60,120" + timeout: 3600 + wazuh_manager_globals: + - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true diff --git a/roles/aws/aws_backup/tasks/main.yml b/roles/aws/aws_backup/tasks/main.yml index b96202953..5da2d0a14 100644 --- a/roles/aws/aws_backup/tasks/main.yml +++ b/roles/aws/aws_backup/tasks/main.yml @@ -66,6 +66,6 @@ loop_var: plan when: aws_backup.plans | length -- name: Include backup validation role. +- name: Include aws backup validation role. ansible.builtin.include_role: name: aws/aws_backup_validation diff --git a/roles/aws/aws_backup_validation/README.md b/roles/aws/aws_backup_validation/README.md new file mode 100644 index 000000000..3548fc7b0 --- /dev/null +++ b/roles/aws/aws_backup_validation/README.md @@ -0,0 +1,25 @@ +# AWS Backup Validation + +Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets triggered by restore testing and Lambda backup validation that will check and notify about the restored instance. + + + + + +## Default variables +```yaml +--- +aws_backup_validation: + name: "RestoreValidation" + description: "Restore validation for" + timeout: 60 + runtime: "python3.12" + handler: "lambda_handler" + resources: + - EC2 + - RDS + #- EFS + +``` + + diff --git a/roles/aws/aws_backup_validation/defaults/main.yml b/roles/aws/aws_backup_validation/defaults/main.yml index ae70325f3..0ae695134 100644 --- a/roles/aws/aws_backup_validation/defaults/main.yml +++ b/roles/aws/aws_backup_validation/defaults/main.yml @@ -1,9 +1,9 @@ --- aws_backup_validation: - name: 'RestoreValidation' - description: 'Restore validation for' + name: "RestoreValidation" + description: "Restore validation for" timeout: 60 - runtime: python3.12 + runtime: "python3.12" handler: "lambda_handler" resources: - EC2 diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 3e45d2d91..d09acd6d1 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create a role and attach policies amazon.aws.iam_role: name: LambdaBackupRestoreRole - assume_role_policy_document: "{{ lookup('file','trusted_entitites.j2') }}" + assume_role_policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" managed_policies: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy @@ -25,7 +25,7 @@ - name: Update AWSBackupDefaultServiceRole amazon.aws.iam_role: name: AWSBackupDefaultServiceRole - assume_role_policy_document: "{{ lookup('file','pass_role_backup.j2') }}" + assume_role_policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" managed_policies: - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores diff --git a/roles/aws/aws_resource_group/README.md b/roles/aws/aws_resource_group/README.md new file mode 100644 index 000000000..116ab32e4 --- /dev/null +++ b/roles/aws/aws_resource_group/README.md @@ -0,0 +1,7 @@ +# AWS Resource Group. +Creates a Resource Group based on Environment and resource that is getting built. Once the resource group is created, AWS will automatically add or remove resources from groups. + + + + + diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index 7f4234057..1ead6377f 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -94,7 +94,20 @@ wazuh: wazuh_manager_email_log_source: alerts.log wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 - wazuh_manager_whitelist: 1.1.1.1 + wazuh_manager_config: + active_responses: + - command: "firewall-drop" + location: "all" + rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" + repeated_offenders: "30,60,120" + timeout: 600 + - command: "firewall-drop" + location: "all" + rules_id: "100205" + repeated_offenders: "30,60,120" + timeout: 3600 + wazuh_manager_globals: + - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above wazuh_manager_extra_emails: [] # list of additional emails to send, e.g. #- enable: true From f1e3478afde3bfb8d9f01f73b10f2aedd6a018d8 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:00:26 +0100 Subject: [PATCH 182/331] initial commit - mattermost local backups (#1838) --- roles/debian/mattermost/tasks/main.yml | 33 +++++++++++++++++++ .../templates/mattermost_local_backups.sh.j2 | 10 ++++++ 2 files changed, 43 insertions(+) create mode 100644 roles/debian/mattermost/templates/mattermost_local_backups.sh.j2 diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml index 665e400d1..f4692c60d 100644 --- a/roles/debian/mattermost/tasks/main.yml +++ b/roles/debian/mattermost/tasks/main.yml @@ -92,3 +92,36 @@ mode: 0644 force: true notify: Reload systemd units and Restart Mattermost. + +- name: Check if Mattermost local backups directory exists. + ansible.builtin.stat: + path: "/home/mattermost/backups" + register: mattermost_backups + +- name: Create Mattermost local backups directory. + ansible.builtin.file: + path: /home/mattermost/backups + state: directory + mode: '0755' + owner: mattermost + group: mattermost + when: + - not mattermost_backups.stat.exists + +- name: Copy Mattermost local backups script. + ansible.builtin.template: + src: "mattermost_local_backups.sh.j2" + dest: "/usr/local/bin/mattermost_local_backups.sh" + owner: root + group: root + mode: 0755 + force: true + +- name: Create systemd timer for Mattermost local backups. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: + mattermost_local_backups: + timer_command: /usr/local/bin/mattermost_local_backups.sh + timer_OnCalendar: "{{ mattermost.backups.on_calendar }}" diff --git a/roles/debian/mattermost/templates/mattermost_local_backups.sh.j2 b/roles/debian/mattermost/templates/mattermost_local_backups.sh.j2 new file mode 100644 index 000000000..fd8071638 --- /dev/null +++ b/roles/debian/mattermost/templates/mattermost_local_backups.sh.j2 @@ -0,0 +1,10 @@ +#!/bin/bash + +# Back up mattermost database +sudo -u postgres pg_dump mattermost | gzip > /home/mattermost/backups/mattermost_dbdump_$(date --rfc-3339=date).sql.gz + +# Back up mattermost data and configuration +sudo tar -zcvf /home/mattermost/backups/mattermost_data_$(date --rfc-3339=date).gz -C /opt/mattermost data config.json + +# Purge old local backups after two weeks +find /home/mattermost/backups -name "*.gz" -type f -mtime +15 -delete From 303e501cc1484a115917407dcb7987d141e164c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 11 Jul 2024 11:01:53 +0200 Subject: [PATCH 183/331] r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar --- roles/debian/nginx/templates/vhosts.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 index 96546b61a..68f423926 100644 --- a/roles/debian/nginx/templates/vhosts.j2 +++ b/roles/debian/nginx/templates/vhosts.j2 @@ -32,7 +32,7 @@ server { {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %} {% if domain.ssl.web_server | default('standalone') == 'standalone' %} # Proxy for certbot (LetsEncrypt) - location /.well-known/acme-challenge/ { + location ^~/.well-known/acme-challenge/ { auth_basic off; proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; } From a71e3b21fa3464419fe943c4daa87d4db64e8ac3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 11 Jul 2024 11:02:16 +0200 Subject: [PATCH 184/331] Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar --- roles/_meta/aws_region/meta/main.yml | 1 + roles/aws/aws_acl/README.md | 6 +++--- roles/aws/aws_acl/defaults/main.yml | 6 +++--- roles/aws/aws_acl/tasks/set_priority_dict.yml | 6 +++++- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 6563d240f..935fc8939 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -4,6 +4,7 @@ dependencies: - role: aws/aws_vpc - role: aws/aws_vpc_subnet - role: aws/aws_iam_role + - role: aws/aws_acl - role: aws/aws_cloudwatch_log_group - role: aws/aws_backup - role: aws/aws_backup_sns diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index fb2c8efb5..5994df551 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -17,11 +17,11 @@ aws_acl: rules: rate_limit: value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - priority: 2 + priority: 2 # can be float with 1 decimal place ip_sets: - name: "Allowed-ips" action: allow - priority: 1 + priority: 1 # can be float with 1 decimal place list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 @@ -36,7 +36,7 @@ aws_acl: country_codes: - name: "allowed-countries" action: allow - priority: 7 + priority: 0.2 list: - GB - HR diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 786e5baf0..71e25ae20 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -8,11 +8,11 @@ aws_acl: rules: rate_limit: value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - priority: 2 + priority: 2 # can be float with 1 decimal place ip_sets: - name: "Allowed-ips" action: allow - priority: 1 + priority: 1 # can be float with 1 decimal place list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 @@ -27,7 +27,7 @@ aws_acl: country_codes: - name: "allowed-countries" action: allow - priority: 7 + priority: 0.2 list: - GB - HR diff --git a/roles/aws/aws_acl/tasks/set_priority_dict.yml b/roles/aws/aws_acl/tasks/set_priority_dict.yml index 9ca723ea2..a6029fd85 100644 --- a/roles/aws/aws_acl/tasks/set_priority_dict.yml +++ b/roles/aws/aws_acl/tasks/set_priority_dict.yml @@ -1,7 +1,11 @@ --- - name: Set dict string ansible.builtin.set_fact: - _priority_dict_string: "{ priority: {{ _priority }} }" + _priority_multiplied: "{{ ((_priority | float) * 10) | int }}" + +- name: Set dict string + ansible.builtin.set_fact: + _priority_dict_string: "{ priority: {{ _priority_multiplied }} }" - name: Set dict ansible.builtin.set_fact: From 2037c7495786f748b6ea3150f95895320966244c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 12 Jul 2024 09:52:21 +0200 Subject: [PATCH 185/331] Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar --- docs/roles/aws/aws_acl.md | 14 +++++++++----- roles/aws/aws_acl/README.md | 8 ++++++-- roles/aws/aws_acl/defaults/main.yml | 8 ++++++-- roles/aws/aws_acl/tasks/ip_sets.yml | 10 +++++----- 4 files changed, 26 insertions(+), 14 deletions(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index fb2c8efb5..e51964ec5 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -17,16 +17,20 @@ aws_acl: rules: rate_limit: value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - priority: 2 + priority: 2 # can be float with 1 decimal place ip_sets: - - name: "Allowed-ips" + - rule_name: "Allowed-ips" + set_name: "Office-IPs" + description: "List of IPs from office" action: allow - priority: 1 + priority: 1 # can be float with 1 decimal place list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips" + - rule_name: "Blocked-IPs" + set_name: "DDOS-list" + description: "List of IPs That were ddosing server" action: block priority: 0 list: [] # If the list is empty, ip set won't be recreated @@ -36,7 +40,7 @@ aws_acl: country_codes: - name: "allowed-countries" action: allow - priority: 7 + priority: 0.2 list: - GB - HR diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 5994df551..e51964ec5 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -19,14 +19,18 @@ aws_acl: value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - name: "Allowed-ips" + - rule_name: "Allowed-ips" + set_name: "Office-IPs" + description: "List of IPs from office" action: allow priority: 1 # can be float with 1 decimal place list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips" + - rule_name: "Blocked-IPs" + set_name: "DDOS-list" + description: "List of IPs That were ddosing server" action: block priority: 0 list: [] # If the list is empty, ip set won't be recreated diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 71e25ae20..ec0f1a0ac 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -10,14 +10,18 @@ aws_acl: value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - name: "Allowed-ips" + - rule_name: "Allowed-ips" + set_name: "Office-IPs" + description: "List of IPs from office" action: allow priority: 1 # can be float with 1 decimal place list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips" + - rule_name: "Blocked-IPs" + set_name: "DDOS-list" + description: "List of IPs That were ddosing server" action: block priority: 0 list: [] # If the list is empty, ip set won't be recreated diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml index bd0ac1376..416569f53 100644 --- a/roles/aws/aws_acl/tasks/ip_sets.yml +++ b/roles/aws/aws_acl/tasks/ip_sets.yml @@ -1,9 +1,9 @@ --- - name: Create IP set for WAF. community.aws.wafv2_ip_set: - name: "{{ _ip_set.name }}" + name: "{{ _ip_set.set_name }}" state: present - description: Set of blocked IPs + description: "{{ _ip_set.description }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" ip_address_version: IPV4 @@ -13,7 +13,7 @@ - name: Get IP set for WAF if. community.aws.wafv2_ip_set_info: - name: "{{ _ip_set.name }}" + name: "{{ _ip_set.set_name }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" when: _ip_set.list | length == 0 @@ -26,12 +26,12 @@ - name: Create IP set rule. ansible.builtin.set_fact: ip_set_rule: - name: "{{ _ip_set.name }}" + name: "{{ _ip_set.rule_name }}" action: "{{ _action | from_yaml }}" visibility_config: sampled_requests_enabled: true cloud_watch_metrics_enabled: true - metric_name: "{{ _ip_set.name }}" + metric_name: "{{ _ip_set.rule_name }}" statement: ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" From 6d519bd8c2d872ac9aa1478808e33e1c08f3e90d Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Fri, 12 Jul 2024 11:44:50 +0300 Subject: [PATCH 186/331] add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) --- roles/_meta/webserver/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/_meta/webserver/meta/main.yml b/roles/_meta/webserver/meta/main.yml index 00249c536..ea92145d0 100644 --- a/roles/_meta/webserver/meta/main.yml +++ b/roles/_meta/webserver/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } + - role: debian/php-common - role: _meta/common_base - role: debian/user_deploy - role: debian/mysql_client From 419387caf538f1424fa9d17385ca6bc43a71f973 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:26:02 +0300 Subject: [PATCH 187/331] fix_opensearch_vars (#1852) --- roles/aws/aws_opensearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_opensearch/tasks/main.yml b/roles/aws/aws_opensearch/tasks/main.yml index 39368148a..bf6ed22ab 100644 --- a/roles/aws/aws_opensearch/tasks/main.yml +++ b/roles/aws/aws_opensearch/tasks/main.yml @@ -6,7 +6,7 @@ vars: aws_security_groups: profile: "{{ aws_opensearch.aws_profile }}" - region: "{{ aws_opensearch.region }}" + region: "{{ aws_opensearch.aws_region }}" group_names: "{{ aws_opensearch.security_groups }}" return_type: ids when: aws_opensearch.security_groups | length > 0 From 184387abcd589f508232833e88fc54acd6d16c04 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Mon, 15 Jul 2024 20:53:30 +0300 Subject: [PATCH 188/331] wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space --- roles/aws/aws_opensearch/defaults/main.yml | 2 ++ roles/aws/aws_opensearch/tasks/main.yml | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_opensearch/defaults/main.yml b/roles/aws/aws_opensearch/defaults/main.yml index 4ade9b84f..756ee4f5b 100644 --- a/roles/aws/aws_opensearch/defaults/main.yml +++ b/roles/aws/aws_opensearch/defaults/main.yml @@ -26,3 +26,5 @@ aws_opensearch: # value: 2 # unit: "HOURS" # cron_expression_for_recurrence: "cron(0 2 * * *)" + wait: true + wait_timeout: 1800 # Default is 300 seconds, but in fact the domain becomes available in about 30 minutes. diff --git a/roles/aws/aws_opensearch/tasks/main.yml b/roles/aws/aws_opensearch/tasks/main.yml index bf6ed22ab..9ef0edb89 100644 --- a/roles/aws/aws_opensearch/tasks/main.yml +++ b/roles/aws/aws_opensearch/tasks/main.yml @@ -50,4 +50,5 @@ desired_state: "{{ aws_opensearch.auto_tune }}" maintenance_schedules: "{{ aws_opensearch.auto_tune_maintenance_schedules | default(omit) }}" tags: "{{ aws_opensearch.tags }}" - wait: true + wait: "{{ aws_opensearch.wait }}" + wait_timeout: "{{ aws_opensearch.wait_timeout }}" From 6a3163794e0b9cd96cbcfed3b8517ee619d5ef6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 17 Jul 2024 06:57:42 +0200 Subject: [PATCH 189/331] Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/tasks/ip_sets.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml index 416569f53..fd9870179 100644 --- a/roles/aws/aws_acl/tasks/ip_sets.yml +++ b/roles/aws/aws_acl/tasks/ip_sets.yml @@ -9,14 +9,12 @@ ip_address_version: IPV4 addresses: "{{ _ip_set.list }}" when: _ip_set.list | length > 0 - register: _ip_set_info -- name: Get IP set for WAF if. +- name: Get IP set details. community.aws.wafv2_ip_set_info: name: "{{ _ip_set.set_name }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" - when: _ip_set.list | length == 0 register: _ip_set_info - name: Set action string From 8c3f3cf1758d1cb4156d7fa56c32e401e0ec4fd6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 18 Jul 2024 15:07:34 +0200 Subject: [PATCH 190/331] Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. --- docs/roles/_init.md | 3 ++- docs/roles/aws/aws_opensearch.md | 2 ++ roles/_init/README.md | 3 ++- roles/_init/defaults/main.yml | 3 ++- roles/_init/tasks/main.yml | 43 ++++++++++++++++-------------- roles/aws/aws_opensearch/README.md | 2 ++ 6 files changed, 33 insertions(+), 23 deletions(-) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 27d3629e3..0f40180e3 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -27,7 +27,8 @@ _init: force_play: false lock_file: /tmp/ce-provision-lock deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy - ce_provision_version: 2.x # Outputted by the _init role at the start of plays. + ce_provision_version: 2.x # Outputted by the _init role at the start of plays + install_ansible: true # set to false to not install Ansible in a venv # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/docs/roles/aws/aws_opensearch.md b/docs/roles/aws/aws_opensearch.md index c27085bfa..f952e3e08 100644 --- a/docs/roles/aws/aws_opensearch.md +++ b/docs/roles/aws/aws_opensearch.md @@ -35,6 +35,8 @@ aws_opensearch: # value: 2 # unit: "HOURS" # cron_expression_for_recurrence: "cron(0 2 * * *)" + wait: true + wait_timeout: 1800 # Default is 300 seconds, but in fact the domain becomes available in about 30 minutes. ``` diff --git a/roles/_init/README.md b/roles/_init/README.md index 27d3629e3..0f40180e3 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -27,7 +27,8 @@ _init: force_play: false lock_file: /tmp/ce-provision-lock deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy - ce_provision_version: 2.x # Outputted by the _init role at the start of plays. + ce_provision_version: 2.x # Outputted by the _init role at the start of plays + install_ansible: true # set to false to not install Ansible in a venv # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 8c2646bd8..97a5ad1bf 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -17,7 +17,8 @@ _init: force_play: false lock_file: /tmp/ce-provision-lock deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy - ce_provision_version: 2.x # Outputted by the _init role at the start of plays. + ce_provision_version: 2.x # Outputted by the _init role at the start of plays + install_ansible: true # set to false to not install Ansible in a venv # Although these variables logically belong with ce_provision, the _init role needs to # gather the extra variables if there are any, so there are _init variables. diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 4abe95653..457afa494 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -123,23 +123,26 @@ # Install Ansible under the controller user for all servers # Ensure ansible_connection == 'ssh' (i.e. we are connecting to a server) before executing - name: Install Ansible. - ansible.builtin.include_role: - name: debian/user_provision - when: ansible_connection == 'ssh' - -- name: Install Ansible. - ansible.builtin.include_role: - name: debian/ansible - vars: - ce_ansible: - venv_path: "{{ _venv_path }}" - venv_command: "{{ _venv_command }}" - install_username: "{{ _venv_install_username }}" - upgrade: - enabled: true - command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" - on_calendar: "*-*-* 01:30:00" - timer_name: "{{ _ce_ansible_timer_name }}" - linters: - enabled: false - when: ansible_connection == 'ssh' + when: + - ansible_connection == 'ssh' + - install_ansible + block: + - name: Install ce-provision user. + ansible.builtin.include_role: + name: debian/user_provision + + - name: Install Ansible. + ansible.builtin.include_role: + name: debian/ansible + vars: + ce_ansible: + venv_path: "{{ _venv_path }}" + venv_command: "{{ _venv_command }}" + install_username: "{{ _venv_install_username }}" + upgrade: + enabled: true + command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" + on_calendar: "*-*-* 01:30:00" + timer_name: "{{ _ce_ansible_timer_name }}" + linters: + enabled: false diff --git a/roles/aws/aws_opensearch/README.md b/roles/aws/aws_opensearch/README.md index c27085bfa..f952e3e08 100644 --- a/roles/aws/aws_opensearch/README.md +++ b/roles/aws/aws_opensearch/README.md @@ -35,6 +35,8 @@ aws_opensearch: # value: 2 # unit: "HOURS" # cron_expression_for_recurrence: "cron(0 2 * * *)" + wait: true + wait_timeout: 1800 # Default is 300 seconds, but in fact the domain becomes available in about 30 minutes. ``` From bcee99626272eee8f841827e9f3e55b8df9bc725 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 18 Jul 2024 15:19:03 +0200 Subject: [PATCH 191/331] Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. --- .ansible-lint | 2 +- .yamllint | 3 +++ roles/_init/tasks/main.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 390760f80..02d2d1c31 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -15,4 +15,4 @@ skip_list: - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me. - name[casing] # sometimes included Galaxy roles break linting rules and cause failures exclude_paths: - - roles/debian/wazuh/ # imported role uses yes/no instead of true/false so always fails + - roles/contrib/ # we don't control these roles diff --git a/.yamllint b/.yamllint index 8287b967d..0247745fe 100644 --- a/.yamllint +++ b/.yamllint @@ -18,3 +18,6 @@ rules: new-line-at-end-of-file: disable new-lines: {type: unix} trailing-spaces: enable + +ignore: + - roles/contrib/ diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 457afa494..3207c13f4 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -125,7 +125,7 @@ - name: Install Ansible. when: - ansible_connection == 'ssh' - - install_ansible + - _init.install_ansible block: - name: Install ce-provision user. ansible.builtin.include_role: From cdb037fafe705f99d379c56b0e52e4a9b9a670f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:50:56 +0200 Subject: [PATCH 192/331] Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/tasks/create_acl.yml | 4 ++-- .../aws/aws_backup_validation/templates/RDS_validation.py.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 5a48ca9de..431334714 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -63,8 +63,8 @@ - name: Create Bot Control rule. ansible.builtin.include_tasks: bot_control.yml when: - - _acl.rules.botControl is defined - - _acl.rules.botControl.enabled + - _acl.rules.bot_control is defined + - _acl.rules.bot_control.enabled - name: Create regular rules. ansible.builtin.include_tasks: regular_rule.yml diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index a50900756..9ee36f72b 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -56,7 +56,7 @@ def lambda_handler(event, context): # Run scripts on EC2 print("Creating script!") script = """ - old_host={{ '$' }}(grep host /home/deploy/.mysql.creds | awk -F= '{print $2}') + old_host={{ '$' }}(grep host /home/deploy/.mysql.creds | awk -F= '{{ '{{' }}print $2 {{ '}}' }}') sed 's,old_host,{new_host},g' /home/deploy/.mysql.creds >> /home/deploy/.mysql.creds.tmp mysql --defaults-file=/home/deploy/.mysql.creds.tmp -e "SELECT table_schema 'DB Name', ROUND(SUM(data_length + index_length) / 1024 / 1024, 1) 'DB Size in MB' FROM information_schema.tables GROUP BY table_schema;" rm /home/deploy/.mysql.creds.tmp From 1678f2a7ee3d3c3ee90203b2f58750de6b898417 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 30 Jul 2024 18:15:07 +0200 Subject: [PATCH 193/331] Updating-user-ansible-vars (#1864) --- roles/debian/user_ansible/defaults/main.yml | 1 + roles/debian/user_ansible/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index c3cb758e8..541dd6f24 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -6,6 +6,7 @@ user_ansible: home: "/home/{{ _user_ansible_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true + update_password: always # Optional Linux uid and gid for user # uid: 999 # gid: 999 diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index e77e698b0..e8b27767b 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -26,6 +26,7 @@ home: "{{ user_ansible.home }}" password: "*" groups: "{{ user_ansible.groups }}" + update_password: "{{ user_ansible.update_password }}" when: user_ansible.create - name: Add user to sudoers. From 1ffa2ada351607f88d41e1aca04a82f1bae0147f Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 30 Jul 2024 18:27:09 +0200 Subject: [PATCH 194/331] Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax --- roles/debian/user_ansible/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index 541dd6f24..1a55b39f0 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -6,7 +6,7 @@ user_ansible: home: "/home/{{ _user_ansible_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true - update_password: always + update_password: "always" # Optional Linux uid and gid for user # uid: 999 # gid: 999 From acb8ae9a00e3be87835c18114855a9ba48b5a8f5 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:37:55 +0300 Subject: [PATCH 195/331] add_vars_to_user_deploy_user_provision (#1869) --- roles/debian/user_ansible/defaults/main.yml | 6 +++--- roles/debian/user_deploy/defaults/main.yml | 6 ++++++ roles/debian/user_provision/defaults/main.yml | 7 +++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index 1a55b39f0..acebeab30 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -7,14 +7,14 @@ user_ansible: create: true # if you know the user already exists, set this to false to not create the user. create_home: true update_password: "always" - # Optional Linux uid and gid for user + # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet + # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_ansible_username }}" - sudoer: - false + sudoer: false # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 711f53c89..dc22f8164 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -7,6 +7,7 @@ user_deploy: home: "/home/{{ _user_deploy_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true + update_password: "always" # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 989 @@ -18,8 +19,13 @@ user_deploy: # List of additional groups to add the user to. groups: - docker # add the docker group so we can do container builds + # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). ssh_keys: [] + # List of SSH private keys to add to server. These must be provided as strings (content of the private key). + # Be sure to store securely using SOPS or similar. # If you add more than one key here, make sure the original private key of your deploy server is the first. ssh_private_keys: [] + # List of hostnames to add to known_hosts. known_hosts: [] + # Whether or not to hash any provided hosts for known_hosts. known_hosts_hash: true diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index a1c8799cf..7d07a8cc2 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -6,6 +6,7 @@ user_provision: home: "/home/{{ _user_provision_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true + update_password: "always" # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 988 @@ -14,9 +15,15 @@ user_provision: utility_host: "localhost" utility_username: "{{ _user_provision_username }}" sudoer: true + # List of additional groups to add the user to. groups: [] + # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). ssh_keys: [] + # List of SSH private keys to add to server. These must be provided as strings (content of the private key). + # Be sure to store securely using SOPS or similar. # If you add more than one key here, make sure the original private key of your infra controller server is the first. ssh_private_keys: [] + # List of hostnames to add to known_hosts. known_hosts: [] + # Whether or not to hash any provided hosts for known_hosts. known_hosts_hash: true From 0fea705fd74f611637c1a75b09e0ef86b2346a01 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:03:47 +0200 Subject: [PATCH 196/331] Disabling-general-log-mariadb (#1871) --- .../debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 | 6 +++--- .../mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 index 3b55b82dd..79b633f9c 100644 --- a/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 +++ b/roles/debian/mysql_server_mariadb/templates/mysql_dev.cnf.j2 @@ -1,11 +1,11 @@ [mysqld] bind-address = 0.0.0.0 -character_set_server = utf8 +character_set_server = utf8 collation_server = utf8_general_ci slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow-query.log log_slow_admin_statements = 1 -general_log = 1 +general_log = 0 log_queries_not_using_indexes = 1 long_query_time = {{ mysql_server.long_query_time }} skip-host-cache @@ -35,4 +35,4 @@ innodb_io_capacity = 400 innodb_file_per_table= 1 innodb_flush_log_at_trx_commit = 1 sync_binlog= 100 -innodb_stats_on_metadata = 0 \ No newline at end of file +innodb_stats_on_metadata = 0 diff --git a/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 b/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 index 5f160cf02..cda61171b 100644 --- a/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 +++ b/roles/debian/mysql_server_oracle_ce/templates/mysql_dev.cnf.j2 @@ -1,12 +1,12 @@ [mysqld] bind-address = 0.0.0.0 -character_set_server = utf8 +character_set_server = utf8 collation_server = utf8_general_ci log_error_services = 'log_filter_internal; log_sink_syseventlog' # change to log_syslog = 1 for MySQL 5.7 and lower slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow-query.log log_slow_admin_statements = 1 -general_log = 1 +general_log = 0 log_queries_not_using_indexes = 1 long_query_time = {{ mysql_server.long_query_time }} skip-host-cache From 8facd998298a8b34851084ee3533a6321f6907c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 1 Aug 2024 10:04:03 +0200 Subject: [PATCH 197/331] Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/tasks/create_acl.yml | 31 +----------------------- roles/aws/aws_acl/tasks/rate_limit.yml | 33 ++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 30 deletions(-) create mode 100644 roles/aws/aws_acl/tasks/rate_limit.yml diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 431334714..8b1f1db36 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -26,39 +26,10 @@ loop_var: _cc_set - name: Set rate limit variable. + ansible.builtin.include_tasks: rate_limit.yml when: - _acl.rules.rate_limit is defined - _acl.rules.rate_limit.value > 0 - block: - - name: Set rate based statement from template - ansible.builtin.set_fact: - _rbs: "{{ lookup('ansible.builtin.template', './rate_limit.j2') | from_yaml }}" - - - name: Define rate rule. - ansible.builtin.set_fact: - rate_rule: - name: Rate_limit - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: rate_limit - Statement: - rate_based_statement: "{{ _rbs }}" - - - name: Set priority. - ansible.builtin.include_tasks: set_priority_dict.yml - vars: - _priority: "{{ _acl.rules.rate_limit.priority }}" - - - name: Append priority to rule. - ansible.builtin.set_fact: - rate_rule: "{{ rate_rule | combine(_priority_dict) }}" - - - name: Add rule to list. - ansible.builtin.set_fact: - _rules: "{{ _rules + [rate_rule] }}" - name: Create Bot Control rule. ansible.builtin.include_tasks: bot_control.yml diff --git a/roles/aws/aws_acl/tasks/rate_limit.yml b/roles/aws/aws_acl/tasks/rate_limit.yml new file mode 100644 index 000000000..a029db535 --- /dev/null +++ b/roles/aws/aws_acl/tasks/rate_limit.yml @@ -0,0 +1,33 @@ +--- +- name: Set rate based statement from template + ansible.builtin.set_fact: + _rbs: "{{ lookup('ansible.builtin.template', './rate_limit.j2') | from_yaml }}" + +- name: Set action statement + ansible.builtin.set_fact: + _action: "{ {{ _acl.rules.rate_limit.action | default('block') }}: {} }" + +- name: Define rate rule. + ansible.builtin.set_fact: + rate_rule: + name: "{{ _acl.rules.rate_limit.name | default('rate_limit') }}" + action: "{{ _action | from_yaml }}" + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "{{ _acl.rules.rate_limit.name | default('rate_limit') }}" + Statement: + rate_based_statement: "{{ _rbs }}" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.rate_limit.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + rate_rule: "{{ rate_rule | combine(_priority_dict) }}" + +- name: Add rule to list. + ansible.builtin.set_fact: + _rules: "{{ _rules + [rate_rule] }}" From 37fa3463727ef5e9e15acccb27024e50214a3f82 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 7 Aug 2024 15:24:49 +0200 Subject: [PATCH 198/331] r70260-rkhunter-whitelist (#1877) --- roles/debian/rkhunter/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml index 30e20d59a..8e9226610 100644 --- a/roles/debian/rkhunter/defaults/main.yml +++ b/roles/debian/rkhunter/defaults/main.yml @@ -16,6 +16,8 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep + - /usr/bin/egrep + - /usr/bin/fgrep - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser From 4605fff5c75e9b052379380e1a9b5bcac1b6bb54 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Wed, 14 Aug 2024 17:28:24 +0200 Subject: [PATCH 199/331] fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting --- roles/debian/nginx/README.md | 3 +++ roles/debian/nginx/defaults/main.yml | 3 +++ roles/debian/nginx/tasks/main.yml | 10 ++++++++++ 3 files changed, 16 insertions(+) diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 87b1a76dd..40d997b6c 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -142,6 +142,9 @@ nginx: fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. overrides: [] # See the '_overrides' role. + # Nginx ships a default vhost config that can clash with other services + # running on port 80. Set this to false to remove it after Nginx installation. + keep_default_vhost: true domains: - server_name: "{{ _domain_name }}" access_log: "/var/log/nginx/access.log" diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 2b587ce41..ce9de03d2 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -130,6 +130,9 @@ nginx: fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. overrides: [] # See the '_overrides' role. + # Nginx ships a default vhost config that can clash with other services + # running on port 80. Set this to false to remove it after Nginx installation. + keep_default_vhost: true domains: - server_name: "{{ _domain_name }}" access_log: "/var/log/nginx/access.log" diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 85c720068..f2269cbef 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -5,6 +5,16 @@ state: present update_cache: true cache_valid_time: 240 + register: _nginx_installed + +- name: Remove default NGINX vhost that could clash with other services running on port 80. + when: + # We only need to do this once when Nginx is installed initially. + - _nginx_installed.changed + - not nginx.keep_default_vhost + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent - name: Set up Python packages. ansible.builtin.include_role: From c7bc57cf8005541446ad92db59772215a778a044 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 27 Aug 2024 14:31:55 +0200 Subject: [PATCH 200/331] Wazuh-var-update (#1903) --- roles/debian/wazuh/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index d90f17991..e58c2d045 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -1,4 +1,6 @@ --- +wazuh_agent_sources_installation: + enabled: true wazuh: path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible From 166a0e8f5efbb97f4cfd4cc6d2431299556b326c Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 27 Aug 2024 14:57:08 +0200 Subject: [PATCH 201/331] Wazuh-agent-vars-more-readable (#1905) --- roles/debian/wazuh/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index c7f867c01..2514dc6b6 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -111,6 +111,4 @@ ssl_ciphers: "{{ wazuh.agent.wazuh_agent_enrollment.ssl_ciphers }}" wazuh_custom_packages_installation_agent_enabled: false ansible_shell_allow_world_readable_temp: true - wazuh_agent_sources_installation: - enabled: true when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled From 1f7c08cb9035fc7578b50b411d3101009b8a00df Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 28 Aug 2024 13:12:19 +0200 Subject: [PATCH 202/331] Filebeat-restart-task-wazuh (#1907) --- roles/debian/wazuh/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 2514dc6b6..4deedc573 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -112,3 +112,8 @@ wazuh_custom_packages_installation_agent_enabled: false ansible_shell_allow_world_readable_temp: true when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled + +- name: Restart filebeat at the end # If we do not, filebeat keeps using old certs and breaks connection with elasticsearch & dashboard stops showing data. + ansible.builtin.systemd: + name: filebeat + state: restarted From 5d3153aad2aca2a892d0f3ae4239a11473c1ec6a Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 28 Aug 2024 13:58:46 +0200 Subject: [PATCH 203/331] Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart --- roles/debian/wazuh/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 4deedc573..a80d9119f 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -113,7 +113,18 @@ ansible_shell_allow_world_readable_temp: true when: wazuh.agent.install and not wazuh_agent_sources_installation.enabled +- name: Check if Filebeat service exists + ansible.builtin.command: + cmd: systemctl list-units --type=service --state=running + register: _service_list + changed_when: false + +- name: Set fact if Filebeat is found & present + ansible.builtin.set_fact: + filebeat_exists: "{{ 'filebeat.service' in _service_list.stdout_lines }}" + - name: Restart filebeat at the end # If we do not, filebeat keeps using old certs and breaks connection with elasticsearch & dashboard stops showing data. ansible.builtin.systemd: name: filebeat state: restarted + when: filebeat_exists From e5306eae4155267530b38c809c649c3fa3940065 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 2 Sep 2024 10:12:07 +0200 Subject: [PATCH 204/331] Adding-gawk-to-extra-packages (#1910) --- roles/_meta/common_base/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 100be3501..d5af663a2 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -24,6 +24,7 @@ dependencies: - ntp - screen - iptraf-ng + - gawk when: is_local is not defined or not is_local - role: debian/locales - role: debian/user_root From 229551c68de00ef9e9ac0e62af32e3c61d415b5a Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 3 Sep 2024 09:42:35 +0200 Subject: [PATCH 205/331] Updating-filebeat-restart-task (#1913) --- roles/debian/wazuh/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index a80d9119f..eac0a4a45 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -121,7 +121,7 @@ - name: Set fact if Filebeat is found & present ansible.builtin.set_fact: - filebeat_exists: "{{ 'filebeat.service' in _service_list.stdout_lines }}" + filebeat_exists: "{{ _service_list.stdout is search('filebeat.service') }}" - name: Restart filebeat at the end # If we do not, filebeat keeps using old certs and breaks connection with elasticsearch & dashboard stops showing data. ansible.builtin.systemd: From 38bc5760beaf70bc0d13377afe547c1a6f7d0eca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Tue, 3 Sep 2024 18:10:08 +0200 Subject: [PATCH 206/331] Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar --- roles/_exit/tasks/main.yml | 18 +++++ roles/_exit/templates/motd.j2 | 13 ++++ roles/aws/aws_backup/tasks/backup_plan.yml | 20 +---- roles/aws/aws_backup/tasks/resource.yml | 19 +---- .../tasks/get_valid_email.yml | 11 +++ .../aws/aws_backup_validation/tasks/main.yml | 7 +- .../tasks/restore_testing_plan.yml | 17 +++++ .../tasks/testing_resources.yml | 75 +++++++++++++++++++ .../templates/EC2_validation.py.j2 | 2 +- .../templates/RDS_validation.py.j2 | 2 +- .../templates/restore_testing.j2 | 16 ++++ 11 files changed, 166 insertions(+), 34 deletions(-) create mode 100644 roles/_exit/templates/motd.j2 create mode 100644 roles/aws/aws_backup_validation/tasks/get_valid_email.yml create mode 100644 roles/aws/aws_backup_validation/tasks/restore_testing_plan.yml create mode 100644 roles/aws/aws_backup_validation/tasks/testing_resources.yml create mode 100644 roles/aws/aws_backup_validation/templates/restore_testing.j2 diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 7cf1901a5..b24312541 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -19,6 +19,24 @@ autoremove: true become: true +- name: Gather host details for motd. + ansible.builtin.shell: > + set -o pipefail && /usr/bin/hostnamectl | /usr/bin/egrep "hostname|Operating|Kernel|Hardware Model" + register: _host_details + +- name: Gather datetime details for motd. + ansible.builtin.shell: > + date + register: _last_build + +- name: Generate/Update custom vars file. + ansible.builtin.template: + src: motd.j2 + dest: "/etc/motd" + mode: "0755" + owner: root + group: root + - name: Delete the lock file. ansible.builtin.file: path: "{{ _init.lock_file }}" diff --git a/roles/_exit/templates/motd.j2 b/roles/_exit/templates/motd.j2 new file mode 100644 index 000000000..1bb17a15f --- /dev/null +++ b/roles/_exit/templates/motd.j2 @@ -0,0 +1,13 @@ + ██████╗ ██████╗ ██████╗ ███████╗ ███████╗███╗ ██╗██╗ ██████╗ ███╗ ███╗ █████╗ +██╔════╝██╔═══██╗██╔══██╗██╔════╝ ██╔════╝████╗ ██║██║██╔════╝ ████╗ ████║██╔══██╗ +██║ ██║ ██║██║ ██║█████╗ █████╗ ██╔██╗ ██║██║██║ ███╗██╔████╔██║███████║ +██║ ██║ ██║██║ ██║██╔══╝ ██╔══╝ ██║╚██╗██║██║██║ ██║██║╚██╔╝██║██╔══██║ +╚██████╗╚██████╔╝██████╔╝███████╗ ███████╗██║ ╚████║██║╚██████╔╝██║ ╚═╝ ██║██║ ██║ + ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝ ╚══════╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ +Managed by Ansible + +Environment: {{ _env_type }} + +{{ _host_details.stdout }} + +Last successful build was on {{ _last_build.stdout }} diff --git a/roles/aws/aws_backup/tasks/backup_plan.yml b/roles/aws/aws_backup/tasks/backup_plan.yml index b79dee05c..f74d164e9 100644 --- a/roles/aws/aws_backup/tasks/backup_plan.yml +++ b/roles/aws/aws_backup/tasks/backup_plan.yml @@ -41,22 +41,10 @@ register: _backup_plan_created_info when: _backup_plan_created is defined -- name: Check if the restore testing plan exists. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" --output json - register: _testing_plan_exists - -- name: Create restore testing plan if it doesn't exist. - ansible.builtin.command: > - aws backup create-restore-testing-plan --restore-testing-plan "RestoreTestingPlanName={{ plan.name | replace('-', '_') }},RecoveryPointSelection={Algorithm=LATEST_WITHIN_WINDOW,RecoveryPointTypes=[\"SNAPSHOT\"],IncludeVaults=[\"{{ _vault_info.stdout | from_json | json_query('BackupVaultArn') }}\"]},ScheduleExpression=\"cron(0 0 ? * SUN *)\"" --region {{ _aws_region }} - register: _testing_plan_created - when: _testing_plan_exists.stdout == "null" - -- name: Get info about newly created restore testing plan. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" - register: _testing_plan_created_info - when: _testing_plan_created is defined +- name: Create restore testing plan. + ansible.builtin.include_role: + name: aws/aws_backup_validation + tasks_from: restore_testing_plan - name: Tidy up and remove the yaml input file. ansible.builtin.file: diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 95994cc70..973e44cf9 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -4,11 +4,6 @@ aws backup list-backup-plans --region {{ _aws_region }} --query "BackupPlansList[?BackupPlanName=='{{ backup.backup_plan_name }}'] | [0]" --output json register: _backup_plan_info -- name: Get restore testing plan info. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ backup.backup_plan_name | replace("-", "_") }}'] | [0]" --output json - register: _testing_plan_info - - name: Gather AWS account ID if it isn't already set. amazon.aws.aws_caller_info: profile: "{{ _aws_profile }}" @@ -65,13 +60,7 @@ aws backup create-backup-selection --backup-plan-id {{ _backup_plan_info.stdout | from_json | json_query('BackupPlanId') }} --backup-selection "{\"SelectionName\":\"{{ backup.selection_name }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"Resources\":[\"{{ _resource_arn }}\"]}" --region {{ _aws_region }} when: _selection_exists.stdout | length == 0 -- name: Check if the restore testing selection exists. - ansible.builtin.command: > - aws backup list-restore-testing-selections --restore-testing-plan-name {{ _testing_plan_info.stdout | from_json | json_query('RestoreTestingPlanName') }} --query "RestoreTestingSelections[?RestoreTestingSelectionName=='{{ backup.selection_name | replace('-', '_') }}'].RestoreTestingSelectionName" --output text --region {{ _aws_region }} - register: _testing_selection_exists - when: _testing_plan_info.stdout != "null" - -- name: Assign resource to AWS restore testing plan. - ansible.builtin.command: > - aws backup create-restore-testing-selection --restore-testing-plan-name {{ _testing_plan_info.stdout | from_json | json_query('RestoreTestingPlanName') }} --restore-testing-selection "{\"RestoreTestingSelectionName\":\"{{ backup.selection_name | replace('-', '_') }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"ProtectedResourceArns\":[\"{{ _resource_arn }}\"],\"ProtectedResourceType\":\"{{ backup.selection_name.split('-')[0] }}\",\"ValidationWindowHours\":1}" --region {{ _aws_region }} - when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 +- name: Create restore testing plan. + ansible.builtin.include_role: + name: aws/aws_backup_validation + tasks_from: testing_resources diff --git a/roles/aws/aws_backup_validation/tasks/get_valid_email.yml b/roles/aws/aws_backup_validation/tasks/get_valid_email.yml new file mode 100644 index 000000000..ef5ab0851 --- /dev/null +++ b/roles/aws/aws_backup_validation/tasks/get_valid_email.yml @@ -0,0 +1,11 @@ +- name: Get list of identities. + ansible.builtin.command: > + aws ses list-identities --region {{ _aws_region }} --output json + register: _identity_list + +- name: Get list of identities. + ansible.builtin.command: > + aws ses get-identity-verification-attributes --identities item --region {{ _aws_region }} + register: _verified_domain + loop: _identity_list.Identities + until: _verified_domain.VerificationAttributes is search("Success") diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index d09acd6d1..a039cb423 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -5,9 +5,11 @@ assume_role_policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" managed_policies: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - - arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy + - arn:aws:iam::aws:policy/AWSBackupFullAccess - arn:aws:iam::aws:policy/AmazonRDSFullAccess - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess + - arn:aws:iam::aws:policy/AmazonSESFullAccess + - arn:aws:iam::aws:policy/AmazonSSMFullAccess register: _created_iam_lambda_role - name: Create an IAM Managed Policy for passing roles @@ -35,6 +37,9 @@ ansible.builtin.wait_for: timeout: 20 +- name: Get verified domain. + ansible.builtin.include_tasks: get_valid_email.yml + - name: Clean and set python functions block: - name: Check and clean any previous Lambda files diff --git a/roles/aws/aws_backup_validation/tasks/restore_testing_plan.yml b/roles/aws/aws_backup_validation/tasks/restore_testing_plan.yml new file mode 100644 index 000000000..b508ad63d --- /dev/null +++ b/roles/aws/aws_backup_validation/tasks/restore_testing_plan.yml @@ -0,0 +1,17 @@ +--- +- name: Check if the restore testing plan exists. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_exists + +- name: Create restore testing plan if it doesn't exist. + ansible.builtin.command: > + aws backup create-restore-testing-plan --restore-testing-plan "RestoreTestingPlanName={{ plan.name | replace('-', '_') }},RecoveryPointSelection={Algorithm=LATEST_WITHIN_WINDOW,RecoveryPointTypes=[\"SNAPSHOT\"],IncludeVaults=[\"{{ _vault_info.stdout | from_json | json_query('BackupVaultArn') }}\"]},ScheduleExpression=\"cron(0 0 ? * SUN *)\"" --region {{ _aws_region }} + register: _testing_plan_created + when: _testing_plan_exists.stdout == "null" + +- name: Get info about newly created restore testing plan. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" + register: _testing_plan_created_info + when: _testing_plan_created is defined diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml new file mode 100644 index 000000000..ad4fcd429 --- /dev/null +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -0,0 +1,75 @@ +--- +- name: Get restore testing plan info. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ backup.backup_plan_name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_info + +- name: Check if the restore testing selection exists. + ansible.builtin.command: > + aws backup list-restore-testing-selections --restore-testing-plan-name {{ _testing_plan_info.stdout | from_json | json_query('RestoreTestingPlanName') }} --query "RestoreTestingSelections[?RestoreTestingSelectionName=='{{ backup.selection_name | replace('-', '_') }}'].RestoreTestingSelectionName" --output text --region {{ _aws_region }} + register: _testing_selection_exists + when: _testing_plan_info.stdout != "null" + +- name: Get default backup role arn + amazon.aws.iam_role_info: + name: AWSBackupDefaultServiceRole + register: _default_backup_role_arn + +- name: Get VPC info + amazon.aws.ec2_vpc_net_info: + region: "{{ _aws_region }}" + filters: + "tag:Name": "{{ aws_vpc.name }}" + register: _main_vpc_info + +- name: Get subnets info + amazon.aws.ec2_vpc_subnet_info: + region: "{{ _aws_region }}" + filters: + vpc-id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" + register: _main_subnets_info + +- name: Create SG for restored instances. + amazon.aws.ec2_security_group: + name: Restore_testing + description: This SG is used to allow SSM and SSH access to the server + region: "{{ _aws_region }}" + vpc_id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 443 + to_port: 443 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + +- name: Remove restore testing query file + ansible.builtin.file: + path: /tmp/restore_testing.json + state: absent + +- name: Create restore testing query file + ansible.builtin.template: + src: restore_testing.j2 + dest: /tmp/restore_testing.json + +- name: Touch a file + ansible.builtin.file: + path: /tmp/test_file.conf + state: touch + mode: "0644" + +- name: Run command to create file in tmp folder + ansible.builtin.command: > + echo "This is test" >> /tmp/test_file + +#- name: Assign EC2 resource to AWS restore testing plan. +# ansible.builtin.command: > +# aws backup create-restore-testing-selection -cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} +# when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index 6fccac00e..2a0316026 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -135,7 +135,7 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) return { diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index 9ee36f72b..1e15e5795 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -113,7 +113,7 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) print(json.dumps(event)) diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/restore_testing.j2 new file mode 100644 index 000000000..745c510b4 --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/restore_testing.j2 @@ -0,0 +1,16 @@ +{ + "RestoreTestingPlanName": "{{ _testing_plan_info.stdout | from_json | json_query("RestoreTestingPlanName") }}", + "RestoreTestingSelection": { + "IamRoleArn": "{{ _default_backup_role_arn }}", + "ProtectedResourceArns": [ + "{{ _resource_arn }}" + ], + "ProtectedResourceType": "EC2", + "RestoreMetadataOverrides": { + "securityGroupIds": "[\"{{ _main_subnets_info.subnets[0].subnet_id }}\"]", + "IamInstanceProfileName": "UseBackedUpValue" + }, + "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", + "ValidationWindowHours": 1 + } +} From 6491f830f6d4476fa4eebac968ae20f7db11668e Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 4 Sep 2024 04:41:16 +0200 Subject: [PATCH 207/331] Fixing-motd-task (#1917) --- roles/_exit/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index b24312541..97684526d 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -22,6 +22,8 @@ - name: Gather host details for motd. ansible.builtin.shell: > set -o pipefail && /usr/bin/hostnamectl | /usr/bin/egrep "hostname|Operating|Kernel|Hardware Model" + args: + executable: /bin/bash register: _host_details - name: Gather datetime details for motd. From 1ce0265ad6de7388585bbc9a7e23bf734cd7eeee Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 4 Sep 2024 07:10:37 +0200 Subject: [PATCH 208/331] Motd-switch-egrep-with-awk (#1919) --- roles/_exit/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 97684526d..064b814d9 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -21,7 +21,7 @@ - name: Gather host details for motd. ansible.builtin.shell: > - set -o pipefail && /usr/bin/hostnamectl | /usr/bin/egrep "hostname|Operating|Kernel|Hardware Model" + set -o pipefail && /usr/bin/hostnamectl | /usr/bin/awk '/hostname|Operating|Kernel|Hardware Model/' args: executable: /bin/bash register: _host_details From 5c240dfc6310bc5bb38ab2daa37f175c2e2d6ddb Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 4 Sep 2024 10:53:16 +0200 Subject: [PATCH 209/331] Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task --- roles/_exit/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 064b814d9..43d76fcd5 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -20,8 +20,12 @@ become: true - name: Gather host details for motd. - ansible.builtin.shell: > - set -o pipefail && /usr/bin/hostnamectl | /usr/bin/awk '/hostname|Operating|Kernel|Hardware Model/' + ansible.builtin.shell: | + set -o pipefail && \ + { echo "Static hostname: $(hostname)"; \ + grep "^NAME=" /etc/os-release | awk -F= '{print "Operating System: " $2}'; \ + uname -r | awk '{print "Kernel: " $1}'; \ + lscpu | grep "Model name" | awk -F: '{gsub(/^[ \t]+|[ \t]+$/, "", $2); print "Hardware Model: " $2}'; } args: executable: /bin/bash register: _host_details From d0fec1f415c138135f85c78ce1bc33dbc429be4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Sep 2024 03:56:07 +0200 Subject: [PATCH 210/331] Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar --- roles/_exit/tasks/main.yml | 8 +++++++- .../tasks/restore_testig_plan.yml | 17 +++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 43d76fcd5..e6a844f4d 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -35,13 +35,19 @@ date register: _last_build -- name: Generate/Update custom vars file. +- name: Print inventory_hostname. + ansible.builtin.debug: + var: inventory_hostname + +- name: Generate motd with server info. ansible.builtin.template: src: motd.j2 dest: "/etc/motd" mode: "0755" owner: root group: root + become: true + when: inventory_hostname != "localhost" - name: Delete the lock file. ansible.builtin.file: diff --git a/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml b/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml new file mode 100644 index 000000000..b508ad63d --- /dev/null +++ b/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml @@ -0,0 +1,17 @@ +--- +- name: Check if the restore testing plan exists. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_exists + +- name: Create restore testing plan if it doesn't exist. + ansible.builtin.command: > + aws backup create-restore-testing-plan --restore-testing-plan "RestoreTestingPlanName={{ plan.name | replace('-', '_') }},RecoveryPointSelection={Algorithm=LATEST_WITHIN_WINDOW,RecoveryPointTypes=[\"SNAPSHOT\"],IncludeVaults=[\"{{ _vault_info.stdout | from_json | json_query('BackupVaultArn') }}\"]},ScheduleExpression=\"cron(0 0 ? * SUN *)\"" --region {{ _aws_region }} + register: _testing_plan_created + when: _testing_plan_exists.stdout == "null" + +- name: Get info about newly created restore testing plan. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" + register: _testing_plan_created_info + when: _testing_plan_created is defined From ec1ff32c5500518ad89dfcb99038f31954462fe3 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Mon, 9 Sep 2024 11:02:36 +0300 Subject: [PATCH 211/331] Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic --- roles/debian/apt_extra_packages/tasks/main.yml | 4 ++++ roles/debian/aws_cloudwatch_agent/tasks/main.yml | 4 ++++ roles/debian/aws_ssm_agent/tasks/main.yml | 4 ++++ roles/debian/nginx/tasks/main.yml | 4 ++-- roles/debian/python_common/tasks/main.yml | 8 ++++++++ 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/roles/debian/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml index 83f8a5b4d..a83f9a076 100644 --- a/roles/debian/apt_extra_packages/tasks/main.yml +++ b/roles/debian/apt_extra_packages/tasks/main.yml @@ -24,6 +24,10 @@ pkg: "{{ apt_list | list }}" state: present update_cache: true + retries: 3 + delay: 10 + until: result is succeeded + register: result when: apt_list | length > 0 - name: Ensure wget is installed. diff --git a/roles/debian/aws_cloudwatch_agent/tasks/main.yml b/roles/debian/aws_cloudwatch_agent/tasks/main.yml index deeb911d9..6057f3118 100644 --- a/roles/debian/aws_cloudwatch_agent/tasks/main.yml +++ b/roles/debian/aws_cloudwatch_agent/tasks/main.yml @@ -4,6 +4,10 @@ deb: "https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb" force: true state: present + retries: 3 + delay: 10 + until: result is succeeded + register: result - name: Adds cwagent user to adm group for log access. ansible.builtin.user: diff --git a/roles/debian/aws_ssm_agent/tasks/main.yml b/roles/debian/aws_ssm_agent/tasks/main.yml index 9d419eb3f..07f6ce8a7 100644 --- a/roles/debian/aws_ssm_agent/tasks/main.yml +++ b/roles/debian/aws_ssm_agent/tasks/main.yml @@ -3,6 +3,10 @@ ansible.builtin.apt: deb: "https://s3.{{ aws_ssm_agent.region }}.amazonaws.com/amazon-ssm-{{ aws_ssm_agent.region }}/latest/debian_amd64/amazon-ssm-agent.deb" state: present + retries: 3 + delay: 10 + until: result is succeeded + register: result - name: Start the agent ansible.builtin.command: systemctl enable amazon-ssm-agent diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index f2269cbef..085e4a4db 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -40,7 +40,7 @@ - name: passlib - name: Backup the whole NGINX config with vhosts. - ansible.builtin.command: "tar -czf /home/{{ _ce_provision_username }}/nginx_backup.tar.gz /etc/nginx/" + ansible.builtin.command: "tar -czf /home/{{ ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" - name: Test NGINX configuration. ansible.builtin.command: nginx -t @@ -167,7 +167,7 @@ - name: Restore previous NGINX config from backup if test fails. ansible.builtin.unarchive: - src: /home/{{ _ce_provision_username }}/nginx_backup.tar.gz + src: /home/{{ ce_provision.username }}/nginx_backup.tar.gz dest: / remote_src: true when: nginx_test_result.rc != 0 diff --git a/roles/debian/python_common/tasks/main.yml b/roles/debian/python_common/tasks/main.yml index 74c1ba7a3..7c1e5cf39 100644 --- a/roles/debian/python_common/tasks/main.yml +++ b/roles/debian/python_common/tasks/main.yml @@ -4,9 +4,17 @@ pkg: "{{ python_common.remove_packages }}" state: absent when: python_common.cleanup + retries: 3 + delay: 10 + until: result is succeeded + register: result - name: Ensure commonly required Python packages are installed. ansible.builtin.apt: pkg: "{{ python_common.install_packages }}" state: present update_cache: true + retries: 3 + delay: 10 + until: result is succeeded + register: result From e68f1e3340511a25fe06476282dd4693c80d158d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 9 Sep 2024 17:39:44 +0200 Subject: [PATCH 212/331] Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/resource.yml | 5 +++++ .../tasks/restore_testig_plan.yml | 17 --------------- .../tasks/testing_resources.yml | 21 ++++++------------- .../templates/restore_testing.j2 | 2 +- 4 files changed, 12 insertions(+), 33 deletions(-) delete mode 100644 roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 973e44cf9..5343fca11 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -4,6 +4,11 @@ aws backup list-backup-plans --region {{ _aws_region }} --query "BackupPlansList[?BackupPlanName=='{{ backup.backup_plan_name }}'] | [0]" --output json register: _backup_plan_info +- name: Get restore testing plan info. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ backup.backup_plan_name | replace("-", "_") }}'] | [0]" --output json + register: _testing_plan_info + - name: Gather AWS account ID if it isn't already set. amazon.aws.aws_caller_info: profile: "{{ _aws_profile }}" diff --git a/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml b/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml deleted file mode 100644 index b508ad63d..000000000 --- a/roles/aws/aws_backup_validation/tasks/restore_testig_plan.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Check if the restore testing plan exists. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" --output json - register: _testing_plan_exists - -- name: Create restore testing plan if it doesn't exist. - ansible.builtin.command: > - aws backup create-restore-testing-plan --restore-testing-plan "RestoreTestingPlanName={{ plan.name | replace('-', '_') }},RecoveryPointSelection={Algorithm=LATEST_WITHIN_WINDOW,RecoveryPointTypes=[\"SNAPSHOT\"],IncludeVaults=[\"{{ _vault_info.stdout | from_json | json_query('BackupVaultArn') }}\"]},ScheduleExpression=\"cron(0 0 ? * SUN *)\"" --region {{ _aws_region }} - register: _testing_plan_created - when: _testing_plan_exists.stdout == "null" - -- name: Get info about newly created restore testing plan. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} --query "RestoreTestingPlans[?RestoreTestingPlanName=='{{ plan.name | replace("-", "_") }}'] | [0]" - register: _testing_plan_created_info - when: _testing_plan_created is defined diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index ad4fcd429..c4cfc86d4 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -49,27 +49,18 @@ to_port: 22 cidr_ip: 0.0.0.0/0 -- name: Remove restore testing query file +- name: Remove restore testing query file. ansible.builtin.file: path: /tmp/restore_testing.json state: absent -- name: Create restore testing query file +- name: Create restore testing query file. ansible.builtin.template: src: restore_testing.j2 dest: /tmp/restore_testing.json + register: _restore_testing_query -- name: Touch a file - ansible.builtin.file: - path: /tmp/test_file.conf - state: touch - mode: "0644" - -- name: Run command to create file in tmp folder +- name: Assign EC2 resource to AWS restore testing plan. ansible.builtin.command: > - echo "This is test" >> /tmp/test_file - -#- name: Assign EC2 resource to AWS restore testing plan. -# ansible.builtin.command: > -# aws backup create-restore-testing-selection -cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} -# when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 + aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} + when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/restore_testing.j2 index 745c510b4..08f12f6ea 100644 --- a/roles/aws/aws_backup_validation/templates/restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/restore_testing.j2 @@ -1,7 +1,7 @@ { "RestoreTestingPlanName": "{{ _testing_plan_info.stdout | from_json | json_query("RestoreTestingPlanName") }}", "RestoreTestingSelection": { - "IamRoleArn": "{{ _default_backup_role_arn }}", + "IamRoleArn": "{{ _default_backup_role_arn.iam_roles[0].arn }}", "ProtectedResourceArns": [ "{{ _resource_arn }}" ], From 91306be17ce076f375b9c2fde82485592cc5fd43 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Tue, 10 Sep 2024 12:40:33 +0200 Subject: [PATCH 213/331] fix(redis): Convert maxmemory setting to int before comparing (#1897) --- roles/debian/redis/templates/redis.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/redis/templates/redis.conf.j2 b/roles/debian/redis/templates/redis.conf.j2 index de952387d..add7bd6d5 100644 --- a/roles/debian/redis/templates/redis.conf.j2 +++ b/roles/debian/redis/templates/redis.conf.j2 @@ -538,7 +538,7 @@ slave-priority 100 # output buffers (but this is not needed if the policy is 'noeviction'). # # maxmemory -{% if redis.maxmemory > 0 %} +{% if (redis.maxmemory | int) > 0 %} maxmemory {{ redis.maxmemory }} {% endif %} # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory From e476b63e1daf1977baef840b059f16540479c926 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 11 Sep 2024 06:26:08 +0200 Subject: [PATCH 214/331] Reverting-nginx-username (#1945) --- roles/debian/nginx/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 085e4a4db..f88ce8d8e 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -40,7 +40,7 @@ - name: passlib - name: Backup the whole NGINX config with vhosts. - ansible.builtin.command: "tar -czf /home/{{ ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" + ansible.builtin.command: "tar -czf /home/{{ _ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" - name: Test NGINX configuration. ansible.builtin.command: nginx -t @@ -167,7 +167,7 @@ - name: Restore previous NGINX config from backup if test fails. ansible.builtin.unarchive: - src: /home/{{ ce_provision.username }}/nginx_backup.tar.gz + src: /home/{{ _ce_provision.username }}/nginx_backup.tar.gz dest: / remote_src: true when: nginx_test_result.rc != 0 From 094cf0f661e5bbc26edba10695cfc0299465b3ce Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 11 Sep 2024 07:28:34 +0200 Subject: [PATCH 215/331] Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username --- roles/debian/nginx/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index f88ce8d8e..f2269cbef 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -40,7 +40,7 @@ - name: passlib - name: Backup the whole NGINX config with vhosts. - ansible.builtin.command: "tar -czf /home/{{ _ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" + ansible.builtin.command: "tar -czf /home/{{ _ce_provision_username }}/nginx_backup.tar.gz /etc/nginx/" - name: Test NGINX configuration. ansible.builtin.command: nginx -t @@ -167,7 +167,7 @@ - name: Restore previous NGINX config from backup if test fails. ansible.builtin.unarchive: - src: /home/{{ _ce_provision.username }}/nginx_backup.tar.gz + src: /home/{{ _ce_provision_username }}/nginx_backup.tar.gz dest: / remote_src: true when: nginx_test_result.rc != 0 From 829ad7c5caaecfcdecf7f9fc8b9292c75565df17 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 11 Sep 2024 11:06:50 +0200 Subject: [PATCH 216/331] Updating-nginx-vars (#1950) --- roles/debian/nginx/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index f2269cbef..085e4a4db 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -40,7 +40,7 @@ - name: passlib - name: Backup the whole NGINX config with vhosts. - ansible.builtin.command: "tar -czf /home/{{ _ce_provision_username }}/nginx_backup.tar.gz /etc/nginx/" + ansible.builtin.command: "tar -czf /home/{{ ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" - name: Test NGINX configuration. ansible.builtin.command: nginx -t @@ -167,7 +167,7 @@ - name: Restore previous NGINX config from backup if test fails. ansible.builtin.unarchive: - src: /home/{{ _ce_provision_username }}/nginx_backup.tar.gz + src: /home/{{ ce_provision.username }}/nginx_backup.tar.gz dest: / remote_src: true when: nginx_test_result.rc != 0 From 894f233455ef4706d6ae99a544ea4cada9a89a52 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 11 Sep 2024 15:11:40 +0200 Subject: [PATCH 217/331] Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. --- docs/roles/debian/nginx.md | 4 ++++ docs/roles/debian/rkhunter.md | 2 ++ docs/roles/debian/user_ansible.md | 7 ++++--- docs/roles/debian/wazuh.md | 2 ++ roles/debian/nginx/README.md | 1 + roles/debian/nginx/defaults/main.yml | 1 + roles/debian/nginx/tasks/main.yml | 18 +++++++++--------- roles/debian/rkhunter/README.md | 2 ++ roles/debian/user_ansible/README.md | 7 ++++--- roles/debian/wazuh/README.md | 2 ++ 10 files changed, 31 insertions(+), 15 deletions(-) diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 87b1a76dd..5a1131c5b 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -141,7 +141,11 @@ nginx: client_max_body_size: "700M" fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. + vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username overrides: [] # See the '_overrides' role. + # Nginx ships a default vhost config that can clash with other services + # running on port 80. Set this to false to remove it after Nginx installation. + keep_default_vhost: true domains: - server_name: "{{ _domain_name }}" access_log: "/var/log/nginx/access.log" diff --git a/docs/roles/debian/rkhunter.md b/docs/roles/debian/rkhunter.md index cb452f702..30cb22852 100644 --- a/docs/roles/debian/rkhunter.md +++ b/docs/roles/debian/rkhunter.md @@ -25,6 +25,8 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep + - /usr/bin/egrep + - /usr/bin/fgrep - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md index 117adcd08..5693b08e5 100644 --- a/docs/roles/debian/user_ansible.md +++ b/docs/roles/debian/user_ansible.md @@ -15,14 +15,15 @@ user_ansible: home: "/home/{{ _user_ansible_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true - # Optional Linux uid and gid for user + update_password: "always" + # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet + # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_ansible_username }}" - sudoer: - false + sudoer: false # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index 1ead6377f..c11fa68fe 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -10,6 +10,8 @@ Supports standalone managers, scaled out services and agent installation (defaul ## Default variables ```yaml --- +wazuh_agent_sources_installation: + enabled: true wazuh: path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 40d997b6c..5a1131c5b 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -141,6 +141,7 @@ nginx: client_max_body_size: "700M" fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. + vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username overrides: [] # See the '_overrides' role. # Nginx ships a default vhost config that can clash with other services # running on port 80. Set this to false to remove it after Nginx installation. diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index ce9de03d2..56d69572d 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -129,6 +129,7 @@ nginx: client_max_body_size: "700M" fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. + vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username overrides: [] # See the '_overrides' role. # Nginx ships a default vhost config that can clash with other services # running on port 80. Set this to false to remove it after Nginx installation. diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml index 085e4a4db..74aa7942d 100644 --- a/roles/debian/nginx/tasks/main.yml +++ b/roles/debian/nginx/tasks/main.yml @@ -40,16 +40,16 @@ - name: passlib - name: Backup the whole NGINX config with vhosts. - ansible.builtin.command: "tar -czf /home/{{ ce_provision.username }}/nginx_backup.tar.gz /etc/nginx/" + ansible.builtin.command: "tar -czf {{ nginx.vhost_backup_location }}/nginx_backup.tar.gz /etc/nginx/" - name: Test NGINX configuration. ansible.builtin.command: nginx -t - register: nginx_test_result + register: _nginx_test_result failed_when: false - name: Display current NGINX config test result. ansible.builtin.debug: - msg: "{{ nginx_test_result.stderr }}" + msg: "{{ _nginx_test_result.stderr }}" - name: Copy main NGINX config. ansible.builtin.template: @@ -152,27 +152,27 @@ - name: Test NGINX configuration. ansible.builtin.command: nginx -t - register: nginx_test_result + register: _nginx_test_result failed_when: false - name: Display NGINX test result. ansible.builtin.debug: - msg: "{{ nginx_test_result.stderr }}" + msg: "{{ _nginx_test_result.stderr }}" - name: Ensure NGINX is restarted. ansible.builtin.service: name: nginx state: restarted - when: nginx_test_result.rc == 0 + when: _nginx_test_result.rc == 0 - name: Restore previous NGINX config from backup if test fails. ansible.builtin.unarchive: - src: /home/{{ ce_provision.username }}/nginx_backup.tar.gz + src: "{{ nginx.vhost_backup_location }}/nginx_backup.tar.gz" dest: / remote_src: true - when: nginx_test_result.rc != 0 + when: _nginx_test_result.rc != 0 - name: Fail the playbook after restore. ansible.builtin.fail: msg: "NGINX configuration test failed. Previous configuration was restored. You need to check it manually." - when: nginx_test_result.rc != 0 + when: _nginx_test_result.rc != 0 diff --git a/roles/debian/rkhunter/README.md b/roles/debian/rkhunter/README.md index cb452f702..30cb22852 100644 --- a/roles/debian/rkhunter/README.md +++ b/roles/debian/rkhunter/README.md @@ -25,6 +25,8 @@ rkhunter: scriptwhitelist: - /bin/egrep - /bin/fgrep + - /usr/bin/egrep + - /usr/bin/fgrep - /usr/bin/ldd # - /usr/bin/lwp-request - /usr/sbin/adduser diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md index 117adcd08..5693b08e5 100644 --- a/roles/debian/user_ansible/README.md +++ b/roles/debian/user_ansible/README.md @@ -15,14 +15,15 @@ user_ansible: home: "/home/{{ _user_ansible_username }}" create: true # if you know the user already exists, set this to false to not create the user. create_home: true - # Optional Linux uid and gid for user + update_password: "always" + # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet + # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_ansible_username }}" - sudoer: - false + sudoer: false # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index 1ead6377f..c11fa68fe 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -10,6 +10,8 @@ Supports standalone managers, scaled out services and agent installation (defaul ## Default variables ```yaml --- +wazuh_agent_sources_installation: + enabled: true wazuh: path: wazuh #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible From 0fda1245f6787365012375f360fc9b4e9f4efef0 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:02:07 +0100 Subject: [PATCH 218/331] r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role --- roles/debian/system/README.md | 17 +++++++++++++++++ roles/debian/system/defaults/main.yml | 3 +++ roles/debian/system/tasks/main.yml | 12 ++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 roles/debian/system/README.md create mode 100644 roles/debian/system/defaults/main.yml create mode 100644 roles/debian/system/tasks/main.yml diff --git a/roles/debian/system/README.md b/roles/debian/system/README.md new file mode 100644 index 000000000..40513948b --- /dev/null +++ b/roles/debian/system/README.md @@ -0,0 +1,17 @@ +# System +This role provides a means of applying system variables to servers. + + + + +## Default variables +```yaml +--- +system: + noipv6: false + +``` + + +~~~ + diff --git a/roles/debian/system/defaults/main.yml b/roles/debian/system/defaults/main.yml new file mode 100644 index 000000000..e7b5bd20c --- /dev/null +++ b/roles/debian/system/defaults/main.yml @@ -0,0 +1,3 @@ +--- +system: + noipv6: false diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml new file mode 100644 index 000000000..46fdfc10e --- /dev/null +++ b/roles/debian/system/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Disable IPv6 default. + ansible.posix.sysctl: + name: net.ipv6.conf.default.disable_ipv6 + value: "1" + when: system.noipv6 + +- name: Disable IPv6 all. + ansible.posix.sysctl: + name: net.ipv6.conf.all.disable_ipv6 + value: "1" + when: system.noipv6 From 89f779e9e929cb48d9d8e16982833e5902914095 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:23:43 +0200 Subject: [PATCH 219/331] Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup_validation/tasks/testing_resources.yml | 1 + roles/aws/aws_backup_validation/templates/restore_testing.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index c4cfc86d4..2776cb24f 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -48,6 +48,7 @@ from_port: 22 to_port: 22 cidr_ip: 0.0.0.0/0 + register: _restore_testing_sg - name: Remove restore testing query file. ansible.builtin.file: diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/restore_testing.j2 index 08f12f6ea..7f0e5289b 100644 --- a/roles/aws/aws_backup_validation/templates/restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/restore_testing.j2 @@ -7,7 +7,8 @@ ], "ProtectedResourceType": "EC2", "RestoreMetadataOverrides": { - "securityGroupIds": "[\"{{ _main_subnets_info.subnets[0].subnet_id }}\"]", + "subnetId": "{{ _main_subnets_info.subnets[0].subnet_id }}" + "securityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", "IamInstanceProfileName": "UseBackedUpValue" }, "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", From 743e477ea8658f20519d216f32b689b51dacc772 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 13 Sep 2024 16:18:49 +0200 Subject: [PATCH 220/331] Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup_validation/templates/restore_testing.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/restore_testing.j2 index 7f0e5289b..738bcd2a2 100644 --- a/roles/aws/aws_backup_validation/templates/restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/restore_testing.j2 @@ -7,7 +7,7 @@ ], "ProtectedResourceType": "EC2", "RestoreMetadataOverrides": { - "subnetId": "{{ _main_subnets_info.subnets[0].subnet_id }}" + "subnetId": "{{ _main_subnets_info.subnets[0].subnet_id }}", "securityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", "IamInstanceProfileName": "UseBackedUpValue" }, From 01fa3e882fa40491ca71734a8b8bd2683ea0e421 Mon Sep 17 00:00:00 2001 From: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:14:13 +0200 Subject: [PATCH 221/331] updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip --- roles/aws/aws_ec2_autoscale_cluster/README.md | 21 +++++++++++++++++++ .../defaults/main.yml | 4 ++++ .../aws_ec2_autoscale_cluster/tasks/main.yml | 2 ++ 3 files changed, 27 insertions(+) diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index ebda2b7a0..562235ac4 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -290,6 +290,27 @@ aws_ec2_autoscale_cluster: create_cert: false create_distribution: false cf_certificate_ARN: "" # Certificate must be in us-east-1 for CloudFront. Define a certificate to build a distribution. + # Add custom rules to http or https listener + listeners_http: + rules: [] + # Example of a redirect rule + # rules: + # - Conditions: + # - Field: host-header + # Values: + # - "example-redirect.com" + # Priority: '4' + # Actions: + # - Type: redirect + # RedirectConfig: + # Host: "codeenigma.com" + # Port: "#{port}" + # Protocol: "HTTPS" + # Path: "/#{path}" + # Query: "#{query}" + # StatusCode: "HTTP_301" + listeners_https: + rules: [] # Add custom listeners. See https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html listeners: [] alb_ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" # Sets the ALB SSL policy to only accect TLSv1.2 and apply more secure ciphers. diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index b6aedd0b2..6b7a0a34e 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -271,6 +271,10 @@ aws_ec2_autoscale_cluster: create_cert: false create_distribution: false cf_certificate_ARN: "" # Certificate must be in us-east-1 for CloudFront. Define a certificate to build a distribution. + listeners_http: + rules: [] + listeners_https: + rules: [] # Add custom listeners. See https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html listeners: [] alb_ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" # Sets the ALB SSL policy to only accect TLSv1.2 and apply more secure ciphers. diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 77b0e0a11..fdc8384c6 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -349,6 +349,7 @@ DefaultActions: - Type: forward TargetGroupName: "{{ aws_ec2_autoscale_cluster.name }}" + Rules: "{{ aws_ec2_autoscale_cluster.listeners_http.rules }}" _aws_ec2_autoscale_cluster_listeners_redirect: Protocol: HTTP Port: "{{ aws_ec2_autoscale_cluster.alb_http_port }}" @@ -370,6 +371,7 @@ DefaultActions: - Type: forward TargetGroupName: "{{ aws_ec2_autoscale_cluster.name }}" + Rules: "{{ aws_ec2_autoscale_cluster.listeners_https.rules }}" when: aws_ec2_autoscale_cluster.create_elb # @TODO - we can use the aws_acm_obsolete_certificate_arn variable to tidy up previous ACM certs, if it is defined. From 42968b38bb5ff0d711fb96c743c1016a8c6edd20 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 16 Sep 2024 18:07:18 +0200 Subject: [PATCH 222/331] Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. --- ce-dev/ansible/vars/provision/ce_provision.yml | 1 + install.sh | 3 ++- roles/debian/ce_deploy/ansible.cfg | 5 ++++- roles/debian/ce_deploy/defaults/main.yml | 2 ++ roles/debian/ce_deploy/tasks/main.yml | 8 ++++---- roles/debian/ce_provision/ansible.cfg | 5 ++++- roles/debian/ce_provision/defaults/main.yml | 2 ++ roles/debian/ce_provision/tasks/main.yml | 8 ++++---- 8 files changed, 23 insertions(+), 11 deletions(-) diff --git a/ce-dev/ansible/vars/provision/ce_provision.yml b/ce-dev/ansible/vars/provision/ce_provision.yml index d2476fe0f..4819f04c5 100644 --- a/ce-dev/ansible/vars/provision/ce_provision.yml +++ b/ce-dev/ansible/vars/provision/ce_provision.yml @@ -1,4 +1,5 @@ # Common vars for local development. +_ce_provision_username: "ce-dev" ce_provision: username: "ce-dev" own_repository: "https://github.com/codeenigma/ce-provision.git" diff --git a/install.sh b/install.sh index c47d96562..30f57ebc2 100755 --- a/install.sh +++ b/install.sh @@ -136,7 +136,7 @@ echo "-------------------------------------------------" su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ce-python" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy collection install ansible.posix --force" +su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy -p /home/$CONTROLLER_USER/.ansible/collections/ansible_collections collection install ansible.posix --force" if [ "$AWS_SUPPORT" = "true" ]; then su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install boto3" fi @@ -193,6 +193,7 @@ ce_provision: repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master galaxy_custom_requirements_file: "" + galaxy_installation_path: "/home/{{ _ce_provision_username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force" diff --git a/roles/debian/ce_deploy/ansible.cfg b/roles/debian/ce_deploy/ansible.cfg index d1191e163..f3117748d 100644 --- a/roles/debian/ce_deploy/ansible.cfg +++ b/roles/debian/ce_deploy/ansible.cfg @@ -65,7 +65,10 @@ inventory = hosts # inject_facts_as_vars = True # additional paths to search for roles in, colon separated -roles_path = roles +roles_path = roles:/home/controller/.ansible/roles:/home/controller/ce-provision/roles + +# additional paths to search for collections in, colon separated +collections_path = /home/controller/.ansible/collections # uncomment this to disable SSH key host checking # @todo We probably want to accept new keys, but fail on changes. diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index dfccea372..061e08fc6 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -26,7 +26,9 @@ ce_deploy: groups: [] # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. + # Collections will be installed to $HOME/.ansible/collections for the provision user. This collections path should also be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" + galaxy_installation_path: "/home/{{ _ce_deploy.username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 447cd99c1..1edcc7007 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -183,13 +183,13 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" become: true become_user: "{{ ce_deploy.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" become: true become_user: "{{ ce_deploy.username }}" when: _ce_deploy_custom_galaxy_requirements.stat.exists @@ -208,7 +208,7 @@ vars: timers: upgrade_ce_deploy_ansible_galaxy_mandatory: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" timer_user: "{{ ce_deploy.username }}" timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: ce_deploy.upgrade_galaxy.enabled @@ -219,7 +219,7 @@ vars: timers: upgrade_ce_deploy_ansible_galaxy_custom: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" timer_user: "{{ ce_deploy.username }}" timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: diff --git a/roles/debian/ce_provision/ansible.cfg b/roles/debian/ce_provision/ansible.cfg index d73ed95ac..932994edd 100644 --- a/roles/debian/ce_provision/ansible.cfg +++ b/roles/debian/ce_provision/ansible.cfg @@ -65,7 +65,10 @@ library = modules # inject_facts_as_vars = True # additional paths to search for roles in, colon separated -roles_path = roles +roles_path = roles:/home/controller/.ansible/roles:/home/controller/ce-provision/roles + +# additional paths to search for collections in, colon separated +collections_path = /home/controller/.ansible/collections # uncomment this to disable SSH key host checking # @todo We probably want to accept new keys, but fail on changes. diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 863be9952..59ff8bc78 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -37,7 +37,9 @@ ce_provision: branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. + # Collections will be installed to $HOME/.ansible/collections for the provision user. This collections path should also be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" + galaxy_installation_path: "/home/{{ _ce_provision_username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index d81941702..9dab0d778 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -226,13 +226,13 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" become: true become_user: "{{ ce_provision.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.galaxy_custom_requirements_file }}" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.galaxy_custom_requirements_file }}" become: true become_user: "{{ ce_provision.username }}" when: _ce_provision_custom_galaxy_requirements.stat.exists @@ -243,7 +243,7 @@ vars: timers: upgrade_ce_provision_ansible_galaxy_mandatory: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" timer_user: "{{ ce_provision.username }}" timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: ce_provision.upgrade_galaxy.enabled @@ -254,7 +254,7 @@ vars: timers: upgrade_ce_provision_ansible_galaxy_custom: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.galaxy_custom_requirements_file }}" + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.galaxy_custom_requirements_file }}" timer_user: "{{ ce_provision.username }}" timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: From 48f70db679a03eb4c2d2f1a4ef00d6dba95f9ed5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 16 Sep 2024 19:30:34 +0200 Subject: [PATCH 223/331] Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. --- install.sh | 1 - roles/debian/ce_deploy/defaults/main.yml | 2 -- roles/debian/ce_deploy/tasks/main.yml | 8 ++++---- roles/debian/ce_provision/defaults/main.yml | 2 -- roles/debian/ce_provision/tasks/main.yml | 8 ++++---- 5 files changed, 8 insertions(+), 13 deletions(-) diff --git a/install.sh b/install.sh index 30f57ebc2..5ff21ac82 100755 --- a/install.sh +++ b/install.sh @@ -193,7 +193,6 @@ ce_provision: repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master galaxy_custom_requirements_file: "" - galaxy_installation_path: "/home/{{ _ce_provision_username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force" diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 061e08fc6..dfccea372 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -26,9 +26,7 @@ ce_deploy: groups: [] # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. - # Collections will be installed to $HOME/.ansible/collections for the provision user. This collections path should also be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" - galaxy_installation_path: "/home/{{ _ce_deploy.username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 1edcc7007..447cd99c1 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -183,13 +183,13 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" become: true become_user: "{{ ce_deploy.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" become: true become_user: "{{ ce_deploy.username }}" when: _ce_deploy_custom_galaxy_requirements.stat.exists @@ -208,7 +208,7 @@ vars: timers: upgrade_ce_deploy_ansible_galaxy_mandatory: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" timer_user: "{{ ce_deploy.username }}" timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: ce_deploy.upgrade_galaxy.enabled @@ -219,7 +219,7 @@ vars: timers: upgrade_ce_deploy_ansible_galaxy_custom: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -p {{ ce_deploy.galaxy_installation_path }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" + timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" timer_user: "{{ ce_deploy.username }}" timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" when: diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 59ff8bc78..863be9952 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -37,9 +37,7 @@ ce_provision: branch: master # File containing default roles and collections to install via Ansible Galaxy. # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. - # Collections will be installed to $HOME/.ansible/collections for the provision user. This collections path should also be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" - galaxy_installation_path: "/home/{{ _ce_provision_username }}/.ansible/collections/ansible_collections" upgrade_galaxy: enabled: true command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 9dab0d778..d81941702 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -226,13 +226,13 @@ - name: Install mandatory ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" become: true become_user: "{{ ce_provision.username }}" - name: Install custom ansible-galaxy roles and collections. ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.galaxy_custom_requirements_file }}" + cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.galaxy_custom_requirements_file }}" become: true become_user: "{{ ce_provision.username }}" when: _ce_provision_custom_galaxy_requirements.stat.exists @@ -243,7 +243,7 @@ vars: timers: upgrade_ce_provision_ansible_galaxy_mandatory: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" timer_user: "{{ ce_provision.username }}" timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: ce_provision.upgrade_galaxy.enabled @@ -254,7 +254,7 @@ vars: timers: upgrade_ce_provision_ansible_galaxy_custom: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -p {{ ce_provision.galaxy_installation_path }} -r {{ ce_provision.galaxy_custom_requirements_file }}" + timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.galaxy_custom_requirements_file }}" timer_user: "{{ ce_provision.username }}" timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" when: From 2b40728e235c249671940c95d1bf8039215a6708 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 17 Sep 2024 13:14:11 +0100 Subject: [PATCH 224/331] r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check --- roles/debian/swap/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/debian/swap/tasks/main.yml b/roles/debian/swap/tasks/main.yml index ea1244d13..08628d33c 100644 --- a/roles/debian/swap/tasks/main.yml +++ b/roles/debian/swap/tasks/main.yml @@ -3,6 +3,14 @@ ansible.builtin.set_fact: swap_file: "/{{ swap.swap_space }}.swap" +- name: Create Swap directory. + ansible.builtin.file: + path: /var/swap + state: directory + mode: '0755' + owner: root + group: root + - name: Check if swap file exists. ansible.builtin.stat: path: "{{ swap_file }}" From 054630cd1f563df50f4fc93e67c9663880310c9e Mon Sep 17 00:00:00 2001 From: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Date: Tue, 17 Sep 2024 14:45:13 +0200 Subject: [PATCH 225/331] 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip --- docs/roles/aws/aws_ec2_autoscale_cluster.md | 21 +++++++++++++++++++ docs/roles/debian/system.md | 16 ++++++++++++++ roles/aws/aws_ec2_autoscale_cluster/README.md | 6 +++--- .../defaults/main.yml | 17 +++++++++++++++ roles/debian/system/README.md | 1 - 5 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 docs/roles/debian/system.md diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index ebda2b7a0..a9b957ac3 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -290,6 +290,27 @@ aws_ec2_autoscale_cluster: create_cert: false create_distribution: false cf_certificate_ARN: "" # Certificate must be in us-east-1 for CloudFront. Define a certificate to build a distribution. + # Add rules to http or https listener + listeners_http: + rules: [] + # Example of a domain redirect rule + # rules: + # - Conditions: + # - Field: host-header + # Values: + # - "example-redirect.com" + # Priority: '4' + # Actions: + # - Type: redirect + # RedirectConfig: + # Host: "codeenigma.com" + # Port: "#{port}" + # Protocol: "HTTPS" + # Path: "/#{path}" + # Query: "#{query}" + # StatusCode: "HTTP_301" + listeners_https: + rules: [] # Add custom listeners. See https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html listeners: [] alb_ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" # Sets the ALB SSL policy to only accect TLSv1.2 and apply more secure ciphers. diff --git a/docs/roles/debian/system.md b/docs/roles/debian/system.md new file mode 100644 index 000000000..7a7f31327 --- /dev/null +++ b/docs/roles/debian/system.md @@ -0,0 +1,16 @@ +# System +This role provides a means of applying system variables to servers. + + + + +## Default variables +```yaml +--- +system: + noipv6: false + +``` + + +~~~ diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 562235ac4..a9b957ac3 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -290,11 +290,11 @@ aws_ec2_autoscale_cluster: create_cert: false create_distribution: false cf_certificate_ARN: "" # Certificate must be in us-east-1 for CloudFront. Define a certificate to build a distribution. - # Add custom rules to http or https listener + # Add rules to http or https listener listeners_http: rules: [] - # Example of a redirect rule - # rules: + # Example of a domain redirect rule + # rules: # - Conditions: # - Field: host-header # Values: diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 6b7a0a34e..52e7c1787 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -271,8 +271,25 @@ aws_ec2_autoscale_cluster: create_cert: false create_distribution: false cf_certificate_ARN: "" # Certificate must be in us-east-1 for CloudFront. Define a certificate to build a distribution. + # Add rules to http or https listener listeners_http: rules: [] + # Example of a domain redirect rule + # rules: + # - Conditions: + # - Field: host-header + # Values: + # - "example-redirect.com" + # Priority: '4' + # Actions: + # - Type: redirect + # RedirectConfig: + # Host: "codeenigma.com" + # Port: "#{port}" + # Protocol: "HTTPS" + # Path: "/#{path}" + # Query: "#{query}" + # StatusCode: "HTTP_301" listeners_https: rules: [] # Add custom listeners. See https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html diff --git a/roles/debian/system/README.md b/roles/debian/system/README.md index 40513948b..7a7f31327 100644 --- a/roles/debian/system/README.md +++ b/roles/debian/system/README.md @@ -14,4 +14,3 @@ system: ~~~ - From 44bd4bb85cba198e36a79eccf9816d8cd043144e Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 17 Sep 2024 14:15:57 +0100 Subject: [PATCH 226/331] swapfile path and clamav exclusion (#1970) --- roles/debian/clamav/defaults/main.yml | 1 + roles/debian/swap/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/clamav/defaults/main.yml b/roles/debian/clamav/defaults/main.yml index 85af99d42..0e811ce8a 100644 --- a/roles/debian/clamav/defaults/main.yml +++ b/roles/debian/clamav/defaults/main.yml @@ -6,6 +6,7 @@ clamav: name: clamscan_daily exclude_directories: - /sys/ + - /var/swap/ scan_location: / log_name: clamav_daily.log # scheduled scans, set to an empty list for no timers diff --git a/roles/debian/swap/defaults/main.yml b/roles/debian/swap/defaults/main.yml index 6cfcc06a6..a7d14bf37 100644 --- a/roles/debian/swap/defaults/main.yml +++ b/roles/debian/swap/defaults/main.yml @@ -2,4 +2,4 @@ swap: count: 4096 size: "4G" - swap_space: swapfile + swap_space: /var/swap/swapfile From 07483c454c8b6a89576dfe6262ae57140a399026 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 19 Sep 2024 15:41:15 +0200 Subject: [PATCH 227/331] Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. --- .gitignore | 1 + docs/_Sidebar.md | 2 + docs/roles/debian/ansible_galaxy.md | 28 +++++++ docs/roles/debian/ce_deploy.md | 4 +- docs/roles/debian/ce_provision.md | 4 +- docs/roles/debian/clamav.md | 1 + docs/roles/debian/swap.md | 2 +- roles/debian/ansible_galaxy/README.md | 28 +++++++ roles/debian/ansible_galaxy/defaults/main.yml | 15 ++++ roles/debian/ansible_galaxy/tasks/main.yml | 48 ++++++++++++ roles/debian/ce_deploy/README.md | 4 +- roles/debian/ce_deploy/defaults/main.yml | 4 +- .../debian/ce_deploy/meta/requirements-10.yml | 10 --- roles/debian/ce_deploy/tasks/main.yml | 74 ++++++------------- roles/debian/ce_provision/README.md | 4 +- roles/debian/ce_provision/defaults/main.yml | 4 +- .../ce_provision/meta/requirements-10.yml | 18 ----- roles/debian/ce_provision/tasks/main.yml | 58 ++++++--------- roles/debian/clamav/README.md | 1 + roles/debian/swap/README.md | 2 +- 20 files changed, 174 insertions(+), 138 deletions(-) create mode 100644 docs/roles/debian/ansible_galaxy.md create mode 100644 roles/debian/ansible_galaxy/README.md create mode 100644 roles/debian/ansible_galaxy/defaults/main.yml create mode 100644 roles/debian/ansible_galaxy/tasks/main.yml delete mode 100644 roles/debian/ce_deploy/meta/requirements-10.yml delete mode 100644 roles/debian/ce_provision/meta/requirements-10.yml diff --git a/.gitignore b/.gitignore index c6bf0f364..38b1c1fe0 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /roles/ce_provision !/roles/contrib/README.md /docs/roles/contrib/* +/galaxy diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index e62b94d5b..797f58980 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -33,6 +33,7 @@ - [VPC](/roles/aws/aws_vpc_subnet) - [Contributed roles](/roles/contrib) - [Debian Packages](/roles/debian) + - [Ansible Galaxy](/roles/debian/ansible_galaxy) - [Ansible](/roles/debian/ansible) - [APACHE](/roles/debian/apache) - [Apparmor](/roles/debian/apparmor) @@ -89,6 +90,7 @@ - [SSL](/roles/debian/ssl) - [sudo config](/roles/debian/sudo_config) - [Swap](/roles/debian/swap) + - [System](/roles/debian/system) - [User Ansible](/roles/debian/user_ansible) - [varnish_config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) diff --git a/docs/roles/debian/ansible_galaxy.md b/docs/roles/debian/ansible_galaxy.md new file mode 100644 index 000000000..b4139d4b8 --- /dev/null +++ b/docs/roles/debian/ansible_galaxy.md @@ -0,0 +1,28 @@ +# Ansible Galaxy +Installs Ansible collections and roles with Ansible Galaxy. + + + + + +## Default variables +```yaml +--- +ansible_galaxy: + # Usually set in the _init role using _venv_path but can be overridden. + #venv_path: "/home/controller/ce-python" + + username: controller + # File containing default roles and/or collections to install via Ansible Galaxy. + # Roles will be installed to the first path specified under roles_path in your ansible.cfg file. + # Collections will be installed to collections_path in your ansible.cfg file. + galaxy_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" + extra_params: --force # extra params to pass to ansible-galaxy, e.g. -p /path/to/install to override install location above + upgrade_galaxy: + enabled: true + name: example # should be unique per job, per server + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index d3c939fd2..90aa38931 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -12,7 +12,7 @@ _ce_deploy: ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_path: "/home/{{ _ce_deploy.username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_deploy.username }}" #upgrade_timer_name: upgrade_ce_deploy_ansible @@ -33,11 +33,9 @@ ce_deploy: # List of additional groups to add the user to. groups: [] # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index e3816975d..6de9e0e9b 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -11,7 +11,7 @@ Installs Code Enigma's infrastructure management stack on a server. Note, the `_ # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_path: "/home/{{ _ce_provision_username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible @@ -45,11 +45,9 @@ ce_provision: repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 0a35265c2..f99ff364e 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -17,6 +17,7 @@ clamav: name: clamscan_daily exclude_directories: - /sys/ + - /var/swap/ scan_location: / log_name: clamav_daily.log # scheduled scans, set to an empty list for no timers diff --git a/docs/roles/debian/swap.md b/docs/roles/debian/swap.md index 03794a99c..2c56f941d 100644 --- a/docs/roles/debian/swap.md +++ b/docs/roles/debian/swap.md @@ -13,7 +13,7 @@ Be sure to match the `count` variable to the `size` variable, the `count` variab swap: count: 4096 size: "4G" - swap_space: swapfile + swap_space: /var/swap/swapfile ``` diff --git a/roles/debian/ansible_galaxy/README.md b/roles/debian/ansible_galaxy/README.md new file mode 100644 index 000000000..b4139d4b8 --- /dev/null +++ b/roles/debian/ansible_galaxy/README.md @@ -0,0 +1,28 @@ +# Ansible Galaxy +Installs Ansible collections and roles with Ansible Galaxy. + + + + + +## Default variables +```yaml +--- +ansible_galaxy: + # Usually set in the _init role using _venv_path but can be overridden. + #venv_path: "/home/controller/ce-python" + + username: controller + # File containing default roles and/or collections to install via Ansible Galaxy. + # Roles will be installed to the first path specified under roles_path in your ansible.cfg file. + # Collections will be installed to collections_path in your ansible.cfg file. + galaxy_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" + extra_params: --force # extra params to pass to ansible-galaxy, e.g. -p /path/to/install to override install location above + upgrade_galaxy: + enabled: true + name: example # should be unique per job, per server + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + +``` + + diff --git a/roles/debian/ansible_galaxy/defaults/main.yml b/roles/debian/ansible_galaxy/defaults/main.yml new file mode 100644 index 000000000..e1c8f5c83 --- /dev/null +++ b/roles/debian/ansible_galaxy/defaults/main.yml @@ -0,0 +1,15 @@ +--- +ansible_galaxy: + # Usually set in the _init role using _venv_path but can be overridden. + #venv_path: "/home/controller/ce-python" + + username: controller + # File containing default roles and/or collections to install via Ansible Galaxy. + # Roles will be installed to the first path specified under roles_path in your ansible.cfg file. + # Collections will be installed to collections_path in your ansible.cfg file. + galaxy_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" + extra_params: --force # extra params to pass to ansible-galaxy, e.g. -p /path/to/install to override install location above + upgrade_galaxy: + enabled: true + name: example # should be unique per job, per server + on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ansible_galaxy/tasks/main.yml b/roles/debian/ansible_galaxy/tasks/main.yml new file mode 100644 index 000000000..b267a73fe --- /dev/null +++ b/roles/debian/ansible_galaxy/tasks/main.yml @@ -0,0 +1,48 @@ +--- +# Optionally set Python venv variables. +- name: Override Python venv path if provided. + ansible.builtin.set_fact: + _venv_path: "{{ ansible_galaxy.venv_path }}" + when: ansible_galaxy.venv_path is defined + +- name: Check if ansible-galaxy requirements file exists. + ansible.builtin.stat: + path: "{{ ansible_galaxy.galaxy_requirements_file }}" + register: _galaxy_requirements + +- name: Install ansible-galaxy roles and/or collections. + when: _galaxy_requirements.stat.exists + block: + - name: Set up the ansible-galaxy command. + ansible.builtin.set_fact: + _galaxy_command: "install -r {{ ansible_galaxy.galaxy_requirements_file }}" + + - name: Add any extra parameters to the ansible-galaxy command. + ansible.builtin.set_fact: + _galaxy_command: "{{ _galaxy_command }} {{ ansible_galaxy.extra_params }}" + when: ansible_galaxy.extra_params | length > 0 + + - name: Install ansible-galaxy roles and/or collections. + ansible.builtin.command: + cmd: "{{ _venv_path }}/bin/ansible-galaxy {{ _galaxy_command }}" + become: true + become_user: "{{ ansible_galaxy.username }}" + +- name: Install systemd timers to upgrade ansible-galaxy roles and/or collections. + when: + - ansible_galaxy.upgrade_galaxy.enabled + - _galaxy_requirements.stat.exists + block: + - name: Build timers variable. + ansible.builtin.set_fact: + _galaxy_upgrade_timer: "{'{{ ansible_galaxy.upgrade_galaxy.name }}_ansible_galaxy_upgrades': { timer_command: '{{ _venv_path }}/bin/ansible-galaxy {{ _galaxy_command }}', timer_OnCalendar: '{{ ansible_galaxy.upgrade_galaxy.on_calendar }}' }}" + + - name: Turn the timer string into a dictionary. + ansible.builtin.set_fact: + _galaxy_upgrade_timer: "{{ _galaxy_upgrade_timer.splitlines() | map('from_yaml') | list }}" + + - name: Set up a systemd timer to upgrade ansible-galaxy roles and/or collections. + ansible.builtin.include_role: + name: contrib/systemd_timers + vars: + timers: "{{ _galaxy_upgrade_timer }}" diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index d3c939fd2..90aa38931 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -12,7 +12,7 @@ _ce_deploy: ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_path: "/home/{{ _ce_deploy.username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_deploy.username }}" #upgrade_timer_name: upgrade_ce_deploy_ansible @@ -33,11 +33,9 @@ ce_deploy: # List of additional groups to add the user to. groups: [] # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index dfccea372..2999edae9 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -4,7 +4,7 @@ _ce_deploy: ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_deploy.username }}/ansible" + #venv_path: "/home/{{ _ce_deploy.username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_deploy.username }}" #upgrade_timer_name: upgrade_ce_deploy_ansible @@ -25,9 +25,7 @@ ce_deploy: # List of additional groups to add the user to. groups: [] # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_deploy.username }}/ce-deploy/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_deploy.venv_path if overridden on_calendar: "Mon *-*-* 01:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_deploy/meta/requirements-10.yml b/roles/debian/ce_deploy/meta/requirements-10.yml deleted file mode 100644 index 850d90026..000000000 --- a/roles/debian/ce_deploy/meta/requirements-10.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -collections: - - name: community.mysql - - name: community.sops - - name: community.docker - - name: community.aws - version: ">=5.5.0,<6.0.0" # pinning at version 5.5.x for Python 3.7 - - name: ansible.posix - - name: amazon.aws - version: ">=5.5.0,<6.0.0" # pinning at version 5.5.x for Python 3.7 diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 447cd99c1..88e540b52 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -168,60 +168,28 @@ content: "PATH=$PATH:{{ _venv_path }}/bin" force: true -- name: Check if ansible-galaxy custom requirements file exists. - ansible.builtin.stat: - path: "{{ ce_deploy.galaxy_custom_requirements_file }}" - register: _ce_deploy_custom_galaxy_requirements - -- name: Copy mandatory ansible-galaxy requirements file to deploy server. - ansible.builtin.copy: - src: "{{ ce_deploy.ce_provision_dir }}/roles/debian/ce_deploy/meta/requirements-{{ ansible_distribution_major_version }}.yml" - dest: "{{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" - owner: "{{ ce_deploy.username }}" - group: "{{ ce_deploy.username }}" - mode: '0644' - -- name: Install mandatory ansible-galaxy roles and collections. - ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml --force" - become: true - become_user: "{{ ce_deploy.username }}" - -- name: Install custom ansible-galaxy roles and collections. - ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_deploy.galaxy_custom_requirements_file }} --force" - become: true - become_user: "{{ ce_deploy.username }}" - when: _ce_deploy_custom_galaxy_requirements.stat.exists - -- name: Ensure Ansible venv permissions. - ansible.builtin.file: - path: "{{ _venv_path }}" - state: directory - recurse: true - owner: "{{ ce_deploy.username }}" - group: "{{ ce_deploy.username }}" - -- name: Create systemd timer to upgrade mandatory ansible-galaxy collections. +- name: Install mandatory ansible-galaxy collections. ansible.builtin.include_role: - name: contrib/systemd_timers + name: debian/ansible_galaxy vars: - timers: - upgrade_ce_deploy_ansible_galaxy_mandatory: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" - timer_user: "{{ ce_deploy.username }}" - timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" - when: ce_deploy.upgrade_galaxy.enabled - -- name: Create systemd timer to upgrade custom ansible-galaxy collections. + ansible_galaxy: + username: "{{ ce_deploy.username }}" + extra_params: --force + galaxy_requirements_file: "{{ ce_deploy.local_dir }}/requirements-{{ ansible_distribution_major_version }}.yml" + upgrade_galaxy: + enabled: "{{ ce_deploy.upgrade_galaxy.enabled }}" + name: ce_deploy_mandatory + on_calendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" + +- name: Install custom ansible-galaxy collections. ansible.builtin.include_role: - name: contrib/systemd_timers + name: debian/ansible_galaxy vars: - timers: - upgrade_ce_deploy_ansible_galaxy_custom: - timer_command: "{{ ce_deploy.upgrade_galaxy.command }} -r {{ ce_deploy.galaxy_custom_requirements_file }}" - timer_user: "{{ ce_deploy.username }}" - timer_OnCalendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" - when: - - _ce_deploy_custom_galaxy_requirements.stat.exists - - ce_deploy.upgrade_galaxy.enabled + ansible_galaxy: + username: "{{ ce_deploy.username }}" + extra_params: --force + galaxy_requirements_file: "{{ ce_deploy.galaxy_custom_requirements_file }}" + upgrade_galaxy: + enabled: "{{ ce_deploy.upgrade_galaxy.enabled }}" + name: ce_deploy_custom + on_calendar: "{{ ce_deploy.upgrade_galaxy.on_calendar }}" diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index e3816975d..6de9e0e9b 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -11,7 +11,7 @@ Installs Code Enigma's infrastructure management stack on a server. Note, the `_ # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_path: "/home/{{ _ce_provision_username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible @@ -45,11 +45,9 @@ ce_provision: repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events ``` diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 863be9952..a0048a3bf 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -2,7 +2,7 @@ # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings. ce_provision: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. - #venv_path: "/home/{{ _ce_provision_username }}/ansible" + #venv_path: "/home/{{ _ce_provision_username }}/ce-python" #venv_command: /usr/bin/python3 -m venv #venv_install_username: "{{ _ce_provision_username }}" #upgrade_timer_name: upgrade_ce_provision_ansible @@ -36,9 +36,7 @@ ce_provision: repo: https://github.com/vlcty/ansible-systemd-timers.git branch: master # File containing default roles and collections to install via Ansible Galaxy. - # Roles will be installed to $HOME/.ansible/roles for the provision user. This roles path should be added to your ansible.cfg file. galaxy_custom_requirements_file: "/home/{{ _ce_provision_username }}/ce-provision/config/files/galaxy-requirements.yml" upgrade_galaxy: enabled: true - command: "{{ _venv_path }}/bin/ansible-galaxy collection install --force" # _venv_path in the _init role - must match ce_provision.venv_path if overridden on_calendar: "Mon *-*-* 04:00:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events diff --git a/roles/debian/ce_provision/meta/requirements-10.yml b/roles/debian/ce_provision/meta/requirements-10.yml deleted file mode 100644 index 2a7be9950..000000000 --- a/roles/debian/ce_provision/meta/requirements-10.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -collections: - - name: ansible.posix - - name: ansible.utils - - name: ansible.windows # required by Wazuh roles - - name: community.sops - - name: community.aws - version: ">=5.5.0,<6.0.0" # pinning at version 5.5.x for Python 3.7 - - name: community.general - - name: amazon.aws - version: ">=5.5.0,<6.0.0" # pinning at version 5.5.x for Python 3.7 - -roles: - - name: geerlingguy.varnish - version: "3.3.1" # bad release, remove later when 'master' is gone from here: https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/varnish/ - - name: geerlingguy.firewall - - name: geerlingguy.composer - - name: geerlingguy.clamav diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index d81941702..30c3aeec3 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -219,44 +219,28 @@ content: "PATH=$PATH:{{ _venv_path }}/bin" force: true -- name: Check if ansible-galaxy custom requirements file exists. - ansible.builtin.stat: - path: "{{ ce_provision.galaxy_custom_requirements_file }}" - register: _ce_provision_custom_galaxy_requirements - -- name: Install mandatory ansible-galaxy roles and collections. - ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml --force-with-deps" - become: true - become_user: "{{ ce_provision.username }}" - -- name: Install custom ansible-galaxy roles and collections. - ansible.builtin.command: - cmd: "{{ _venv_path }}/bin/ansible-galaxy install -r {{ ce_provision.galaxy_custom_requirements_file }}" - become: true - become_user: "{{ ce_provision.username }}" - when: _ce_provision_custom_galaxy_requirements.stat.exists - -- name: Create systemd timer to upgrade mandatory ansible-galaxy collections. +- name: Install mandatory ansible-galaxy collections. ansible.builtin.include_role: - name: contrib/systemd_timers + name: debian/ansible_galaxy vars: - timers: - upgrade_ce_provision_ansible_galaxy_mandatory: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" - timer_user: "{{ ce_provision.username }}" - timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" - when: ce_provision.upgrade_galaxy.enabled - -- name: Create systemd timer to upgrade custom ansible-galaxy collections. + ansible_galaxy: + username: "{{ ce_provision.username }}" + extra_params: --force + galaxy_requirements_file: "{{ ce_provision.local_dir }}/roles/debian/ce_provision/meta/requirements-{{ ansible_distribution_major_version }}.yml" + upgrade_galaxy: + enabled: "{{ ce_provision.upgrade_galaxy.enabled }}" + name: ce_provision_mandatory + on_calendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" + +- name: Install custom ansible-galaxy collections. ansible.builtin.include_role: - name: contrib/systemd_timers + name: debian/ansible_galaxy vars: - timers: - upgrade_ce_provision_ansible_galaxy_custom: - timer_command: "{{ ce_provision.upgrade_galaxy.command }} -r {{ ce_provision.galaxy_custom_requirements_file }}" - timer_user: "{{ ce_provision.username }}" - timer_OnCalendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" - when: - - _ce_provision_custom_galaxy_requirements.stat.exists - - ce_provision.upgrade_galaxy.enabled + ansible_galaxy: + username: "{{ ce_provision.username }}" + extra_params: --force + galaxy_requirements_file: "{{ ce_provision.galaxy_custom_requirements_file }}" + upgrade_galaxy: + enabled: "{{ ce_provision.upgrade_galaxy.enabled }}" + name: ce_provision_custom + on_calendar: "{{ ce_provision.upgrade_galaxy.on_calendar }}" diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 0a35265c2..f99ff364e 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -17,6 +17,7 @@ clamav: name: clamscan_daily exclude_directories: - /sys/ + - /var/swap/ scan_location: / log_name: clamav_daily.log # scheduled scans, set to an empty list for no timers diff --git a/roles/debian/swap/README.md b/roles/debian/swap/README.md index 03794a99c..2c56f941d 100644 --- a/roles/debian/swap/README.md +++ b/roles/debian/swap/README.md @@ -13,7 +13,7 @@ Be sure to match the `count` variable to the `size` variable, the `count` variab swap: count: 4096 size: "4G" - swap_space: swapfile + swap_space: /var/swap/swapfile ``` From 63a3168ddc337f09b30a17ccd58c23b0cfd285cd Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 19 Sep 2024 16:17:58 +0200 Subject: [PATCH 228/331] Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. --- roles/debian/nginx/templates/_common.j2 | 5 +++-- roles/debian/nginx/templates/blank.j2 | 5 +++++ roles/debian/nginx/templates/cloudwatch-main.json.j2 | 4 +++- roles/debian/nginx/templates/cloudwatch-vhost.json.j2 | 4 +++- roles/debian/nginx/templates/custom.j2 | 7 ++++++- roles/debian/nginx/templates/docker_registry.j2 | 6 +++++- roles/debian/nginx/templates/drupal10.j2 | 3 +++ roles/debian/nginx/templates/drupal7.j2 | 5 +++++ roles/debian/nginx/templates/drupal8.j2 | 5 +++++ roles/debian/nginx/templates/drupal_common.j2 | 2 ++ roles/debian/nginx/templates/flat.j2 | 5 +++++ roles/debian/nginx/templates/matomo.j2 | 5 +++-- roles/debian/nginx/templates/mattermost.j2 | 5 +++++ roles/debian/nginx/templates/mautic.j2 | 8 ++++++-- roles/debian/nginx/templates/mime.types.j2 | 2 ++ roles/debian/nginx/templates/nginx.conf.j2 | 2 ++ roles/debian/nginx/templates/proxy.j2 | 5 +++++ roles/debian/nginx/templates/simplesamlphp.j2 | 5 +++++ roles/debian/nginx/templates/symfony3.j2 | 5 +++++ roles/debian/nginx/templates/symfony3_prod.j2 | 5 +++++ roles/debian/nginx/templates/symfony4.j2 | 5 +++++ roles/debian/nginx/templates/wordpress.j2 | 6 +++++- 22 files changed, 93 insertions(+), 11 deletions(-) diff --git a/roles/debian/nginx/templates/_common.j2 b/roles/debian/nginx/templates/_common.j2 index 6129a309d..874bd266d 100644 --- a/roles/debian/nginx/templates/_common.j2 +++ b/roles/debian/nginx/templates/_common.j2 @@ -1,5 +1,8 @@ ### {{ ansible_managed }} +# Drupal 10.1 onwards sets X-Content-Type-Options in PHP, see: https://www.drupal.org/node/3334163 +# Consequently that header is no longer set here, it has been moved to project type templates as necessary. + gzip on; gzip_proxied any; gzip_static on; @@ -20,5 +23,3 @@ client_body_buffer_size {{ nginx.http.client_body_buffer_size }}; fastcgi_buffer_size {{ nginx.http.fastcgi_buffer_size }} ; fastcgi_buffers {{ nginx.http.fastcgi_buffers }} ; client_max_body_size {{ nginx.client_max_body_size }} ; -# Disable content sniffing, since it's an attack vector. -add_header X-Content-Type-Options nosniff; \ No newline at end of file diff --git a/roles/debian/nginx/templates/blank.j2 b/roles/debian/nginx/templates/blank.j2 index 47768dd92..c2aa187f2 100644 --- a/roles/debian/nginx/templates/blank.j2 +++ b/roles/debian/nginx/templates/blank.j2 @@ -1,3 +1,8 @@ +### {{ ansible_managed }} + #location / { #do something here #} + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/cloudwatch-main.json.j2 b/roles/debian/nginx/templates/cloudwatch-main.json.j2 index 9396f9ab2..f71865390 100644 --- a/roles/debian/nginx/templates/cloudwatch-main.json.j2 +++ b/roles/debian/nginx/templates/cloudwatch-main.json.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + { "logs": { "logs_collected": { @@ -25,4 +27,4 @@ } } } -} \ No newline at end of file +} diff --git a/roles/debian/nginx/templates/cloudwatch-vhost.json.j2 b/roles/debian/nginx/templates/cloudwatch-vhost.json.j2 index a7e3f9576..04463d0fd 100644 --- a/roles/debian/nginx/templates/cloudwatch-vhost.json.j2 +++ b/roles/debian/nginx/templates/cloudwatch-vhost.json.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + { "logs": { "logs_collected": { @@ -33,4 +35,4 @@ } } } -} \ No newline at end of file +} diff --git a/roles/debian/nginx/templates/custom.j2 b/roles/debian/nginx/templates/custom.j2 index 44616f926..4c687c1e1 100644 --- a/roles/debian/nginx/templates/custom.j2 +++ b/roles/debian/nginx/templates/custom.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + location / { try_files $uri /index.php$is_args$args; } @@ -8,4 +10,7 @@ location ~ \.php(/|$) { fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_pass {{ nginx.php_fastcgi_backend }}; -} \ No newline at end of file +} + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/docker_registry.j2 b/roles/debian/nginx/templates/docker_registry.j2 index bbc3ef14c..ea204d08c 100644 --- a/roles/debian/nginx/templates/docker_registry.j2 +++ b/roles/debian/nginx/templates/docker_registry.j2 @@ -1,4 +1,5 @@ ### {{ ansible_managed }} + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) chunked_transfer_encoding on; location /v2/ { @@ -17,4 +18,7 @@ location /v2/ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; -} \ No newline at end of file +} + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 index c74dc42d0..fee75d6c5 100644 --- a/roles/debian/nginx/templates/drupal10.j2 +++ b/roles/debian/nginx/templates/drupal10.j2 @@ -1,4 +1,7 @@ +### {{ ansible_managed }} + ######### Default block. +# Drupal 10.1 onwards sets X-Content-Type-Options in PHP, see: https://www.drupal.org/node/3334163 # Generic rewrite rule. location @rewrite { diff --git a/roles/debian/nginx/templates/drupal7.j2 b/roles/debian/nginx/templates/drupal7.j2 index daa00a795..31bc0d2b8 100644 --- a/roles/debian/nginx/templates/drupal7.j2 +++ b/roles/debian/nginx/templates/drupal7.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + ######### Default block. # Generic rewrite rule. @@ -6,3 +8,6 @@ location @rewrite { } include "/etc/nginx/conf.d/drupal_common"; + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/drupal8.j2 b/roles/debian/nginx/templates/drupal8.j2 index 1ea78977d..d4f3e2901 100644 --- a/roles/debian/nginx/templates/drupal8.j2 +++ b/roles/debian/nginx/templates/drupal8.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + ######### Default block. # Generic rewrite rule. @@ -6,3 +8,6 @@ location @rewrite { } include "/etc/nginx/conf.d/drupal_common"; + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 index 8e3bf96f6..770203509 100644 --- a/roles/debian/nginx/templates/drupal_common.j2 +++ b/roles/debian/nginx/templates/drupal_common.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + ######### Default block. # Generic rewrite rule is in project_type config which includes this one. diff --git a/roles/debian/nginx/templates/flat.j2 b/roles/debian/nginx/templates/flat.j2 index 2e3726b59..31138d440 100644 --- a/roles/debian/nginx/templates/flat.j2 +++ b/roles/debian/nginx/templates/flat.j2 @@ -1,5 +1,10 @@ +### {{ ansible_managed }} + index index.html index.htm index.nginx-debian.html; location / { try_files $uri $uri/ =404; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/matomo.j2 b/roles/debian/nginx/templates/matomo.j2 index 7630e5fc7..ab7d76b22 100644 --- a/roles/debian/nginx/templates/matomo.j2 +++ b/roles/debian/nginx/templates/matomo.j2 @@ -1,7 +1,8 @@ ### {{ ansible_managed }} add_header Referrer-Policy origin always; -add_header X-Content-Type-Options "nosniff" always; +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block" always; # Generic rewrite rule. @@ -25,7 +26,7 @@ location / { # @todo # limit_req zone=bots burst=5 nodelay; {% endif %} - + index index.php; try_files @rewrite /index.php; } diff --git a/roles/debian/nginx/templates/mattermost.j2 b/roles/debian/nginx/templates/mattermost.j2 index 0942bb28c..893fccb3b 100644 --- a/roles/debian/nginx/templates/mattermost.j2 +++ b/roles/debian/nginx/templates/mattermost.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + ## SSL ssl_session_timeout 1d; # Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC). @@ -52,3 +54,6 @@ location / { proxy_http_version 1.1; proxy_pass http://mattermost; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/mautic.j2 b/roles/debian/nginx/templates/mautic.j2 index 6af79196d..92845e808 100644 --- a/roles/debian/nginx/templates/mautic.j2 +++ b/roles/debian/nginx/templates/mautic.j2 @@ -1,4 +1,5 @@ ### {{ ansible_managed }} + ######### Default block. # Generic rewrite rule. @@ -9,13 +10,13 @@ location @rewrite { # PHP fastcgi pass. location @phpprocess { include fastcgi_params; - fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_pass {{ nginx.php_fastcgi_backend }}; } -# Rewrite any request not allowed below, +# Rewrite any request not allowed below, # so they get processed through the app level (and 404). location / { try_files @rewrite @rewrite; @@ -74,3 +75,6 @@ location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|eot|woff2|ttf)$ { location = /robots.txt { try_files $uri @rewrite; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/mime.types.j2 b/roles/debian/nginx/templates/mime.types.j2 index f3f27da19..d8e992918 100644 --- a/roles/debian/nginx/templates/mime.types.j2 +++ b/roles/debian/nginx/templates/mime.types.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + # This file is generated from Ansible template types { {% for mime_type, extensions in nginx.http.mime_types.items() %} diff --git a/roles/debian/nginx/templates/nginx.conf.j2 b/roles/debian/nginx/templates/nginx.conf.j2 index 7d608906e..9b3dbd5f0 100644 --- a/roles/debian/nginx/templates/nginx.conf.j2 +++ b/roles/debian/nginx/templates/nginx.conf.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + user {{ nginx.user }}; worker_processes {{ nginx.worker_processes }}; pid /run/nginx.pid; diff --git a/roles/debian/nginx/templates/proxy.j2 b/roles/debian/nginx/templates/proxy.j2 index 1b2888efe..efad0a6a7 100644 --- a/roles/debian/nginx/templates/proxy.j2 +++ b/roles/debian/nginx/templates/proxy.j2 @@ -1,6 +1,11 @@ +### {{ ansible_managed }} + location / { proxy_pass https://{{ nginx.http.proxy_host }}:{{ nginx.http.proxy_port }}/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect http:// https://; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/simplesamlphp.j2 b/roles/debian/nginx/templates/simplesamlphp.j2 index 9ac4dac1f..9d4da235e 100644 --- a/roles/debian/nginx/templates/simplesamlphp.j2 +++ b/roles/debian/nginx/templates/simplesamlphp.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + location / { try_files $uri /index.php$is_args$args; } @@ -12,3 +14,6 @@ location ~ \.php(/|$) { #fastcgi_param SIMPLESAMLPHP_CONFIG_DIR ""; fastcgi_pass {{ nginx.php_fastcgi_backend }}; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/symfony3.j2 b/roles/debian/nginx/templates/symfony3.j2 index 3b1d51b41..d4270677a 100644 --- a/roles/debian/nginx/templates/symfony3.j2 +++ b/roles/debian/nginx/templates/symfony3.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + location / { try_files $uri /app_{{ symfony_env }}.php$is_args$args; } @@ -10,3 +12,6 @@ location ~ \.php(/|$) { fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/symfony3_prod.j2 b/roles/debian/nginx/templates/symfony3_prod.j2 index acf6f1fec..558c04c23 100644 --- a/roles/debian/nginx/templates/symfony3_prod.j2 +++ b/roles/debian/nginx/templates/symfony3_prod.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + location / { try_files $uri /app_{{ symfony_env }}.php$is_args$args; } @@ -19,3 +21,6 @@ location ~ \.php(/|$) { fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/symfony4.j2 b/roles/debian/nginx/templates/symfony4.j2 index b01fb1a8e..7d6c4a17e 100644 --- a/roles/debian/nginx/templates/symfony4.j2 +++ b/roles/debian/nginx/templates/symfony4.j2 @@ -1,3 +1,5 @@ +### {{ ansible_managed }} + location / { try_files $uri /index.php$is_args$args; } @@ -10,3 +12,6 @@ location ~ \.php(/|$) { fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; diff --git a/roles/debian/nginx/templates/wordpress.j2 b/roles/debian/nginx/templates/wordpress.j2 index a6bf9f460..b273cba79 100644 --- a/roles/debian/nginx/templates/wordpress.j2 +++ b/roles/debian/nginx/templates/wordpress.j2 @@ -1,3 +1,4 @@ +### {{ ansible_managed }} location = /favicon.ico { log_not_found off; @@ -46,4 +47,7 @@ location ~ \.php$ { fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass {{ nginx.php_fastcgi_backend }}; -} \ No newline at end of file +} + +# Disable content sniffing, since it's an attack vector. +add_header X-Content-Type-Options nosniff; From d365903bc114fb3b735288e3edcca97981e0fa1a Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 19 Sep 2024 17:41:00 +0200 Subject: [PATCH 229/331] Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. --- docs/roles/debian/postfix.md | 2 +- roles/debian/postfix/README.md | 2 +- roles/debian/postfix/defaults/main.yml | 2 +- roles/debian/postfix/templates/transport.j2 | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index e63f3b70a..afd84b496 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -22,7 +22,7 @@ postfix: networks: "[::1]/128 [::ffff:127.0.0.0]/104 127.0.0.0/8" protocols: all relayhost: "" - transport_maps: + transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - "* discard :" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index e63f3b70a..afd84b496 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -22,7 +22,7 @@ postfix: networks: "[::1]/128 [::ffff:127.0.0.0]/104 127.0.0.0/8" protocols: all relayhost: "" - transport_maps: + transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - "* discard :" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index 10e373b83..fb00787d3 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -11,7 +11,7 @@ postfix: networks: "[::1]/128 [::ffff:127.0.0.0]/104 127.0.0.0/8" protocols: all relayhost: "" - transport_maps: + transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - "* discard :" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html diff --git a/roles/debian/postfix/templates/transport.j2 b/roles/debian/postfix/templates/transport.j2 index 46cfabbdf..eb6e69b27 100644 --- a/roles/debian/postfix/templates/transport.j2 +++ b/roles/debian/postfix/templates/transport.j2 @@ -1,6 +1,6 @@ {{ ansible_hostname }} : {% for transport in postfix.transport_maps %} {% if transport|length %} -{{ transport }} : +{{ transport }} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} From e3e92fccc73b0e0fe2d09fcada712e1923bcddfb Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 19 Sep 2024 17:49:01 +0200 Subject: [PATCH 230/331] Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. --- roles/debian/postfix/templates/transport.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian/postfix/templates/transport.j2 b/roles/debian/postfix/templates/transport.j2 index eb6e69b27..098bf5265 100644 --- a/roles/debian/postfix/templates/transport.j2 +++ b/roles/debian/postfix/templates/transport.j2 @@ -1,4 +1,5 @@ {{ ansible_hostname }} : +{{ ansible_fqdn }} : {% for transport in postfix.transport_maps %} {% if transport|length %} {{ transport }} From d54a77f6cd22bb6396ab418c468d26d076d8a540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 27 Sep 2024 11:45:10 +0200 Subject: [PATCH 231/331] Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/defaults/main.yml | 74 +++++++++---------- .../aws/aws_backup_validation/tasks/main.yml | 5 +- .../templates/EC2_validation.py.j2 | 3 +- .../templates/RDS_validation.py.j2 | 3 +- 4 files changed, 40 insertions(+), 45 deletions(-) diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index ec0f1a0ac..c9be777d3 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,33 +1,24 @@ --- aws_acl: - - name: example_master_acl - description: "Master ACL for CF" + - name: "{{ _infra_name }}_main_acl" + description: "ACL rules from ce-provision-config" scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" - tags: {} + tags: "{{ _aws_tags }}" rules: rate_limit: - value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - rule_name: "Allowed-ips" - set_name: "Office-IPs" - description: "List of IPs from office" + - rule_name: "Allowed-IPs-rule" + set_name: "Allowed-IPs-set" + description: "List of IPs from our VPNs - Ansible managed" action: allow - priority: 1 # can be float with 1 decimal place - list: [] # If the list is empty, ip set won't be recreated - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - rule_name: "Blocked-IPs" - set_name: "DDOS-list" - description: "List of IPs That were ddosing server" - action: block - priority: 0 - list: [] # If the list is empty, ip set won't be recreated - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + priority: 1 + list: + - 3.11.82.252/32 # main VPN + - 159.100.242.248/32 # backup VPN, bastion2 + - 3.8.9.162/32 # guest VPN country_codes: - name: "allowed-countries" action: allow @@ -44,34 +35,35 @@ aws_acl: regular_rules: - name: allow_panels action: allow - statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) priority: 4 statements: - - inspect: "UriPath" # Aslo supported: "SingleHeader" + - inspect: "UriPath" # Use: "SingleHeader" or "UriPath" position: "CONTAINS" string: "panels/ajax" text_trans: "NONE" - - name: block_bots - action: block - statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) - priority: 5 - statements: - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "spider" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "bot" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "crawl" - text_trans: "LOWERCASE" +# Example for multi header block +# - name: block_bots +# action: block +# statements_type: "or" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) +# priority: 5 +# statements: +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "spider" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "bot" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "crawl" +# text_trans: "LOWERCASE" # Managed rules list bot_control: enabled: false - target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + target: "COMMON" # "COMMON" or "TARGETED" inspection level priority: 3 cyber_sec: enabled: false # Need to subscribe first in AWS diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index a039cb423..82bc27744 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -37,8 +37,9 @@ ansible.builtin.wait_for: timeout: 20 -- name: Get verified domain. - ansible.builtin.include_tasks: get_valid_email.yml +# Not all clients have verified identity +#- name: Get verified domain. +# ansible.builtin.include_tasks: get_valid_email.yml - name: Clean and set python functions block: diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index 2a0316026..00bce56e7 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -135,7 +135,8 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', +# Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) return { diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index 1e15e5795..b166803b7 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -113,7 +113,8 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, - Source='Lambda Backup Validation ', +# Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) print(json.dumps(event)) From 81ba00087d35a5eab6a3f19e5e49421296593e5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Fri, 27 Sep 2024 11:57:51 +0200 Subject: [PATCH 232/331] Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 | 2 +- roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index 00bce56e7..a40f048b9 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -135,7 +135,7 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, -# Source='Lambda Backup Validation ', + # Need to replace "codeenigma.net" with _verified_domain variable Source='Lambda Backup Validation ', ) diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index b166803b7..a7716ceb3 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -113,7 +113,7 @@ def lambda_handler(event, context): 'Data': 'Lambda Backup validation: ' + mail_title, }, }, -# Source='Lambda Backup Validation ', + # Need to replace "codeenigma.net" with _verified_domain variable Source='Lambda Backup Validation ', ) From 263178a44d35f77ed8150d51ac6e1a5926b52edc Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:59:18 +0200 Subject: [PATCH 233/331] Removing-gawk-apt (#1985) --- roles/_meta/common_base/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index d5af663a2..100be3501 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -24,7 +24,6 @@ dependencies: - ntp - screen - iptraf-ng - - gawk when: is_local is not defined or not is_local - role: debian/locales - role: debian/user_root From 68af278a6b1f27b58eea3bb2878cd3a10521bb44 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 1 Oct 2024 12:43:35 +0200 Subject: [PATCH 234/331] Adding-gawk-removing-gawk-csh (#1987) --- roles/_meta/common_base/meta/main.yml | 1 + roles/aws/aws_backup/tasks/resource.yml | 1 + roles/debian/apt_extra_packages/tasks/main.yml | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/roles/_meta/common_base/meta/main.yml b/roles/_meta/common_base/meta/main.yml index 100be3501..d5af663a2 100644 --- a/roles/_meta/common_base/meta/main.yml +++ b/roles/_meta/common_base/meta/main.yml @@ -24,6 +24,7 @@ dependencies: - ntp - screen - iptraf-ng + - gawk when: is_local is not defined or not is_local - role: debian/locales - role: debian/user_root diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 5343fca11..9942cc200 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -69,3 +69,4 @@ ansible.builtin.include_role: name: aws/aws_backup_validation tasks_from: testing_resources + when: _selection_exists.stdout | length == 0 diff --git a/roles/debian/apt_extra_packages/tasks/main.yml b/roles/debian/apt_extra_packages/tasks/main.yml index a83f9a076..d072bba06 100644 --- a/roles/debian/apt_extra_packages/tasks/main.yml +++ b/roles/debian/apt_extra_packages/tasks/main.yml @@ -41,3 +41,8 @@ loop: "{{ wget_list }}" loop_control: loop_var: wget_item + +- name: Remove gawk.csh from /etc/profile.d + ansible.builtin.file: + path: /etc/profile.d/gawk.csh + state: absent From 773370952fbd23c8864eb628cb124c8826c086e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 2 Oct 2024 05:20:08 +0200 Subject: [PATCH 235/331] Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/resource.yml | 9 ++++----- .../tasks/testing_resources.yml | 20 ++++++++++++++++++- .../templates/restore_testing.j2 | 2 +- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 9942cc200..a132a3c32 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -65,8 +65,7 @@ aws backup create-backup-selection --backup-plan-id {{ _backup_plan_info.stdout | from_json | json_query('BackupPlanId') }} --backup-selection "{\"SelectionName\":\"{{ backup.selection_name }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"Resources\":[\"{{ _resource_arn }}\"]}" --region {{ _aws_region }} when: _selection_exists.stdout | length == 0 -- name: Create restore testing plan. - ansible.builtin.include_role: - name: aws/aws_backup_validation - tasks_from: testing_resources - when: _selection_exists.stdout | length == 0 +#- name: Create restore testing plan. +# ansible.builtin.include_role: +# name: aws/aws_backup_validation +# tasks_from: testing_resources diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 2776cb24f..0e01a3928 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -55,13 +55,31 @@ path: /tmp/restore_testing.json state: absent +- name: Construct AWS instance type. + vars: + _instance_type: + instance: "EC2" + file-system: "EFS" + db: "RDS" + ansible.builtin.set_fact: + _instance_type_restore: "{{ _instance_type[backup.resource_type] }}" + - name: Create restore testing query file. ansible.builtin.template: src: restore_testing.j2 dest: /tmp/restore_testing.json register: _restore_testing_query +- name: Check if protected reource exist + ansible.builtin.command: > + aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }} + register: _protected_res + +- name: Print previous variable + ansible.builtin.debug: + var: _protected_res + - name: Assign EC2 resource to AWS restore testing plan. ansible.builtin.command: > aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} - when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 + when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/restore_testing.j2 index 738bcd2a2..50a1df681 100644 --- a/roles/aws/aws_backup_validation/templates/restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/restore_testing.j2 @@ -5,7 +5,7 @@ "ProtectedResourceArns": [ "{{ _resource_arn }}" ], - "ProtectedResourceType": "EC2", + "ProtectedResourceType": "{{ _instance_type_restore }}", "RestoreMetadataOverrides": { "subnetId": "{{ _main_subnets_info.subnets[0].subnet_id }}", "securityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", From c7cc767cf2fb81636b2eef9f6833958cff0410bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 2 Oct 2024 12:36:20 +0200 Subject: [PATCH 236/331] Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar --- .../tasks/testing_resources.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 0e01a3928..15bfc628b 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -57,22 +57,32 @@ - name: Construct AWS instance type. vars: - _instance_type: + instance_type: instance: "EC2" file-system: "EFS" db: "RDS" ansible.builtin.set_fact: - _instance_type_restore: "{{ _instance_type[backup.resource_type] }}" + _instance_type_restore: "{{ instance_type[backup.resource_type] }}" + when: backup.resource_type != 'file-system' + +- name: Print previous variable + ansible.builtin.debug: + var: instance_type + +- name: Print previous variable + ansible.builtin.debug: + var: _instance_type_restore - name: Create restore testing query file. ansible.builtin.template: src: restore_testing.j2 dest: /tmp/restore_testing.json register: _restore_testing_query + when: _instance_type_restore is defined - name: Check if protected reource exist ansible.builtin.command: > - aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }} + aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }} register: _protected_res - name: Print previous variable @@ -82,4 +92,4 @@ - name: Assign EC2 resource to AWS restore testing plan. ansible.builtin.command: > aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} - when: _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 + when: _instance_type_restore is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 From 1e1c1550f0741672ea2e993e5765b0094a5c7d6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 2 Oct 2024 17:30:14 +0200 Subject: [PATCH 237/331] Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_ses/defaults/main.yml | 2 ++ roles/aws/aws_ses/tasks/main.yml | 36 ++++++++++++++++++++++++ roles/aws/aws_ses/templates/ses.json.j2 | 37 +++++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 roles/aws/aws_ses/defaults/main.yml create mode 100644 roles/aws/aws_ses/tasks/main.yml create mode 100644 roles/aws/aws_ses/templates/ses.json.j2 diff --git a/roles/aws/aws_ses/defaults/main.yml b/roles/aws/aws_ses/defaults/main.yml new file mode 100644 index 000000000..10218b089 --- /dev/null +++ b/roles/aws/aws_ses/defaults/main.yml @@ -0,0 +1,2 @@ +_ses_domain: codeenigma.uk +region: "{{ _aws_region}}" diff --git a/roles/aws/aws_ses/tasks/main.yml b/roles/aws/aws_ses/tasks/main.yml new file mode 100644 index 000000000..62da7c1b5 --- /dev/null +++ b/roles/aws/aws_ses/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: "Ensure {{ _ses_domain }} domain identity exists" + community.aws.ses_identity: + profile: "{{ _aws_profile }}" + identity: "{{ _ses_domain }}" + state: present + region: "{{ _aws_region}}" + +- name: Gather AWS account ID if it isn't already set. + amazon.aws.aws_caller_info: + profile: "{{ _aws_profile }}" + delegate_to: localhost + register: aws_account_id + +- name: Add sending authorization policy to domain identity + community.aws.ses_identity_policy: + identity: "{{ _ses_domain }}" + policy_name: AWSses + policy: "{{ lookup('template', 'ses.json.j2') }}" + state: present + region: "{{ _aws_region }}" + +- name: Fetch SES domain CNAME + ansible.builtin.command: "aws ses verify-domain-dkim --domain {{ _ses_domain }} --region {{ _aws_region }}" + register: ses_dkim_attributes + +- name: Add a DNS records in Route 53 for validation. + amazon.aws.route53: + state: present + zone: "{{ _ses_domain }}" + record: "{{ item }}._domainkey.{{ _ses_domain }}" + profile: "core" + type: CNAME + ttl: 300 + value: "{{ item }}.dkim.amazonses.com" + loop: "{{ ses_dkim_attributes.stdout | from_json | json_query('DkimTokens') }}" diff --git a/roles/aws/aws_ses/templates/ses.json.j2 b/roles/aws/aws_ses/templates/ses.json.j2 new file mode 100644 index 000000000..3230f7bdd --- /dev/null +++ b/roles/aws/aws_ses/templates/ses.json.j2 @@ -0,0 +1,37 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ses:SendEmail", + "ses:PutEmailIdentityDkimAttributes", + "ses:PutEmailIdentityDkimSigningAttributes", + "ses:ListRecommendations", + "ses:BatchGetMetricData", + "ses:UntagResource", + "ses:TagResource", + "ses:PutEmailIdentityMailFromAttributes", + "ses:PutEmailIdentityFeedbackAttributes", + "ses:PutEmailIdentityConfigurationSetAttributes", + "ses:DeleteEmailIdentityPolicy", + "ses:DeleteEmailIdentity", + "ses:UpdateEmailIdentityPolicy", + "ses:CreateDeliverabilityTestReport", + "ses:CreateEmailIdentityPolicy", + "ses:GetDomainStatisticsReport", + "ses:GetEmailIdentityPolicies", + "ses:GetEmailIdentity", + "ses:SendBulkTemplatedEmail", + "ses:SendTemplatedEmail", + "ses:SendRawEmail" + ], + "Principal": { + "AWS": [ + "{{ aws_account_id.account }}" + ] + }, + "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/{{ _ses_domain }}" + } + ] +} From b9f7099767fa56bec6de73db62e3c0f83129c4d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 9 Oct 2024 15:43:18 +0200 Subject: [PATCH 238/331] Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ses/defaults/main.yml | 2 +- roles/aws/aws_ses/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_ses/defaults/main.yml b/roles/aws/aws_ses/defaults/main.yml index 10218b089..b421f2fc5 100644 --- a/roles/aws/aws_ses/defaults/main.yml +++ b/roles/aws/aws_ses/defaults/main.yml @@ -1,2 +1,2 @@ _ses_domain: codeenigma.uk -region: "{{ _aws_region}}" +region: "{{ _aws_region }}" diff --git a/roles/aws/aws_ses/tasks/main.yml b/roles/aws/aws_ses/tasks/main.yml index 62da7c1b5..ffa4bba50 100644 --- a/roles/aws/aws_ses/tasks/main.yml +++ b/roles/aws/aws_ses/tasks/main.yml @@ -4,7 +4,7 @@ profile: "{{ _aws_profile }}" identity: "{{ _ses_domain }}" state: present - region: "{{ _aws_region}}" + region: "{{ _aws_region }}" - name: Gather AWS account ID if it isn't already set. amazon.aws.aws_caller_info: From 6de09d05de45dbac468beab4038c1a9b4fc83da2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:50:54 +0200 Subject: [PATCH 239/331] Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar --- .../tasks/testing_resources.yml | 24 ++++++------------- ...tore_testing.j2 => EC2_restore_testing.j2} | 0 .../templates/EC2_validation.py.j2 | 2 +- .../templates/RDS_restore_testing.j2 | 16 +++++++++++++ .../templates/RDS_validation.py.j2 | 2 +- 5 files changed, 25 insertions(+), 19 deletions(-) rename roles/aws/aws_backup_validation/templates/{restore_testing.j2 => EC2_restore_testing.j2} (100%) create mode 100644 roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 15bfc628b..99e2cc425 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -26,7 +26,7 @@ amazon.aws.ec2_vpc_subnet_info: region: "{{ _aws_region }}" filters: - vpc-id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" + vpc-id: "{{ _main_vpc_info.vpcs[0].vpc_id}}" register: _main_subnets_info - name: Create SG for restored instances. @@ -55,27 +55,21 @@ path: /tmp/restore_testing.json state: absent -- name: Construct AWS instance type. - vars: +- name: Construct AWS instance type dict. + ansible.builtin.set_fact: instance_type: instance: "EC2" file-system: "EFS" db: "RDS" + +- name: Set instance type for template. ansible.builtin.set_fact: _instance_type_restore: "{{ instance_type[backup.resource_type] }}" when: backup.resource_type != 'file-system' -- name: Print previous variable - ansible.builtin.debug: - var: instance_type - -- name: Print previous variable - ansible.builtin.debug: - var: _instance_type_restore - - name: Create restore testing query file. ansible.builtin.template: - src: restore_testing.j2 + src: "{{ _instance_type_restore }}_restore_testing.j2" dest: /tmp/restore_testing.json register: _restore_testing_query when: _instance_type_restore is defined @@ -85,11 +79,7 @@ aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }} register: _protected_res -- name: Print previous variable - ansible.builtin.debug: - var: _protected_res - -- name: Assign EC2 resource to AWS restore testing plan. +- name: Assign {{ _instance_type_restore }} resource to AWS restore testing plan. ansible.builtin.command: > aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} when: _instance_type_restore is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 diff --git a/roles/aws/aws_backup_validation/templates/restore_testing.j2 b/roles/aws/aws_backup_validation/templates/EC2_restore_testing.j2 similarity index 100% rename from roles/aws/aws_backup_validation/templates/restore_testing.j2 rename to roles/aws/aws_backup_validation/templates/EC2_restore_testing.j2 diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index a40f048b9..1b1ace841 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -136,7 +136,7 @@ def lambda_handler(event, context): }, }, # Need to replace "codeenigma.net" with _verified_domain variable - Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) return { diff --git a/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 new file mode 100644 index 000000000..96343c090 --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 @@ -0,0 +1,16 @@ +{ + "RestoreTestingPlanName": "{{ _testing_plan_info.stdout | from_json | json_query("RestoreTestingPlanName") }}", + "RestoreTestingSelection": { + "IamRoleArn": "{{ _default_backup_role_arn.iam_roles[0].arn }}", + "ProtectedResourceArns": [ + "{{ _resource_arn }}" + ], + "ProtectedResourceType": "{{ _instance_type_restore }}", + "RestoreMetadataOverrides": { + "vpcSecurityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", + "dbsubnetgroupname": "{{ aws_vpc.name }}" + }, + "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", + "ValidationWindowHours": 1 + } +} diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index a7716ceb3..776ea5030 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -114,7 +114,7 @@ def lambda_handler(event, context): }, }, # Need to replace "codeenigma.net" with _verified_domain variable - Source='Lambda Backup Validation ', + Source='Lambda Backup Validation ', ) print(json.dumps(event)) From 11bbb4f98563f588036da2206a96bab57ffc55cb Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:24:58 +0200 Subject: [PATCH 240/331] Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars --- roles/debian/nginx/tasks/ssl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/tasks/ssl.yml b/roles/debian/nginx/tasks/ssl.yml index 32097e9e2..fe42e9fca 100644 --- a/roles/debian/nginx/tasks/ssl.yml +++ b/roles/debian/nginx/tasks/ssl.yml @@ -2,7 +2,7 @@ - name: LetsEncrypt create vhosts. when: - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + - (domain.ssl.services | default([])) | length >= 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 block: - name: Temporarily place a vhost for LetsEncrypt to work. ansible.builtin.template: @@ -33,7 +33,7 @@ - name: LetsEncrypt cleanup vhosts. when: - domain.ssl.handling == 'letsencrypt' - - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 + - (domain.ssl.services | default([])) | length >= 0 # if services[] is defined we can assume we are running certbot on port 80 or 443 block: - name: Delete the link to the vhost for LetsEncrypt. ansible.builtin.file: From 9cc13a0a4517bb021bb079c45cd7cab9dad58b32 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Mon, 14 Oct 2024 13:43:05 +0100 Subject: [PATCH 241/331] r70260 Option to ignore false-positive shared memory segment warnings (#2023) --- roles/debian/rkhunter/defaults/main.yml | 1 + roles/debian/rkhunter/templates/rkhunter.conf.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml index 8e9226610..0a7c0943f 100644 --- a/roles/debian/rkhunter/defaults/main.yml +++ b/roles/debian/rkhunter/defaults/main.yml @@ -31,6 +31,7 @@ rkhunter: - /etc/.etckeeper allowdevfile: - /dev/shm/network/ifstate + allowipcproc: [] allow_system_remote_logging: "0" supscan_directories: "/tmp /var/tmp" supscan_maxsize: "10240000" diff --git a/roles/debian/rkhunter/templates/rkhunter.conf.j2 b/roles/debian/rkhunter/templates/rkhunter.conf.j2 index c049dd3f0..3ab3f73c6 100644 --- a/roles/debian/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/debian/rkhunter/templates/rkhunter.conf.j2 @@ -1238,3 +1238,8 @@ INSTALLDIR=/usr #EMPTY_LOGFILES="" #MISSING_LOGFILES="" +# Option to ignore false-positive shared memory segment warnings +{% for item in rkhunter.allowipcproc %} +ALLOWIPCPROC={{ item }} +{% endfor %} + From 3624d589aa854ccc9ec3e71c0188fc355a075920 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 17 Oct 2024 12:37:05 +0200 Subject: [PATCH 242/331] Adding-wazuh-ossec-from-enigma00a (#2027) --- .../var-ossec-rules-local_decoder.xml.j2 | 12 + .../templates/var-ossec-rules-local_rules.xml | 2783 +++++++++++++++++ 2 files changed, 2795 insertions(+) create mode 100644 roles/debian/wazuh/templates/var-ossec-rules-local_decoder.xml.j2 create mode 100644 roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml diff --git a/roles/debian/wazuh/templates/var-ossec-rules-local_decoder.xml.j2 b/roles/debian/wazuh/templates/var-ossec-rules-local_decoder.xml.j2 new file mode 100644 index 000000000..9d2ca3221 --- /dev/null +++ b/roles/debian/wazuh/templates/var-ossec-rules-local_decoder.xml.j2 @@ -0,0 +1,12 @@ + + + ^drupal + \d+.\d+.\d+.\d \S+|\d+|\w+| + (\d+.\d+.\d+.\d+)\|(\.+)\|\.*\|\d+\|\.*\|(\.+) + srcip,url,data + diff --git a/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml b/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml new file mode 100644 index 000000000..f9179432a --- /dev/null +++ b/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml @@ -0,0 +1,2783 @@ + + + + + + + + + + + + + + + + + + + + + 1002 + ^pound + Connection timed out + Pound SSL network event ignored + + + + 1002 + ^pound + Connection reset by peer + Pound SSL network event ignored + + + + 1002 + ^pound + e500 error copy client cont to + Pound SSL network event ignored + + + + 1002 + ^pound + error copy chunk cont + Pound SSL network event ignored + + + + 1002 + ^pound + error copy server cont + Pound SSL network event ignored + + + + 1002 + ^pound + /misc/message-24-error.png + Pound SSL network event ignored + + + + 1002,31421 + Call to undefined function + PHP bugs + + + + 1002 + ^drupal + access denied + Access denied to parts of gcl website + + + + 1002 + ^drupal + Internal server error for link + Broken links on GCL via linkchecker module + + + + 1002 + Illegal choice + Message we cannot do anything about + + + + 1002 + ^drupal + XML_ERR_NAME_REQUIRED + Feed problems on enigma6 eiu-research + + + + 1003 + ^drupal + loginticket_login result on fastlogin_init + Very large syslog messages tripping up OSSC on gcl-app1 + + + + 1003 + ^drupal + Call of SugarCRM function + Very large syslog messages tripping up OSSC on gcl-app1 + + + + 1002 + ^drupal + Login attempt (using the "notifications" login ticket + Failed attempt to login to GCL using notifications tickets + + + + 1002 + ^drupal + mollom.getImageCaptcha + Mollom outages + + + + 1002 + ^drupal + All servers unavailable + Mollom outages + + + + 1002 + ^drupal + All servers unreachable or returning errors + Mollom outages + + + + 1002 + ^drupal + mollom.getServerList + Mollom outages + + + + 1002 + ^drupal + Oracle_Project_Failure_Cover + Filename with the word failure + + + + 1003 + ^ovpn-openvpn + PUSH_REPLY + Large OpenVPN syslog message, pushing routes to the user + + + + 1003 + ^drupal + gcl.prod.codeenigma.com:80/sugarcrm + Large SugarCRM messsages + + + + 1003 + ^drupal + www.gamblingcompliance.com/node + Large Drupal watchdog messages + + + + 1003 + ^drupal + www.gamblingcompliance.com/contact + Large Drupal watchdog messages + + + + 1003 + ^drupal + www.gamblingdata.com/contact + Large Drupal watchdog messages + + + + 40101 + ^su + root:nobody + Crons from cron.daily + + + + 1003 + ^drupal + www.gamblingcompliance.com/search/site + Large Drupal watchdog messages + + + + 1003 + ^drupal + Searched Site for + Large Drupal watchdog messages + + + + 1002,1003 + ^drupal + disallowed Unicode code + Unicode errors due to sites that need updating so they work with current PHP versions + + + + 1002 + ^drupal|wcc + Undefined property + PHP warnings and errors + + + + 1002 + ^drupal|wcc + Undefined variable + PHP warnings and errors + + + + 1002,1003 + ^drupal|wcc + Trying to get property of non-object + PHP warnings and errors + + + + 1002 + ^drupal|wcc + to be array, + PHP warnings and errors + + + + 1002 + ^/USR/SBIN/CRON + (CRON) error (grandchild # + Failing crontabs + + + + 1002 + ^ovpn-openvpn + Connection refused + Disconnecting VPN clients + + + + 1002 + ^drupal + Use of undefined constant + PHP bugs in EC sites + + + + 1002,1003 + ^drupal|wcc + Undefined index + PHP bugs in sites + + + + 1002 + ^ovpn-openvpn + TLS Error + Disconnecting VPN clients + + + + 1002 + ^ovpn-openvpn + tls-error + Disconnecting VPN clients + + + + 1002 + ^ovpn-openvpn + Bad LZO decompression header + Disconnecting VPN clients + + + + 1003 + ^drupal + Retrieved new CAPTCHA + Verbose Mollom logging + + + + 1003 + ^drupal + Incorrect CAPTCHA + Verbose Mollom logging + + + + 1003 + rest.mollom.com + Mollom messages are often too verbose and trip OSSEC on 1003 + + + + 1002 + Finished processing scheduled jobs + Job Scheduler in Drupal uses the word 'failed' even when 100% success. Ignore + + + + 1002 + Preventing ms_DRBD_NFS from re-starting on + monitors can't run resources + + + + 1002 + ^nslcd + request denied by validnames option + Jenkins Duplicity jobs trigger nslcd verbose message + + + + 1002 + ^php + No buffer to delete in /usr/share/php/pearcmd.php on line 19 + Ignore buggy pearcmd.php on PHP 5.4 + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + failed with code + Buggy feed app + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + Apache Solr + Solr comm fail + + + + 1003 + airmic-app2.codeenigma.net + ^drupal + IDS Detector Details + airmic civicrm + + + + 1003 + airmic-app2.codeenigma.net + ^drupal + apachesolr_search + airmic solr + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + oauth_consumer_key + airmic mollom + + + + 1002 + ^nagios3 + SOLR Cores + Ignore automatic SOLR alerts on midnight + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + The page you requested is currently unavailable + civicrm + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + Terrorism + civicrm + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + DB Error: already exists + civicrm + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + Could not find valid value for id + civicrm + + + + 1003 + airmic-app2.codeenigma.net + ^drupal + backTrace + civicrm + + + + 1003 + airmic-app2.codeenigma.net + ^drupal + civicrm + Airmic CiviCRM + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + We can't load the requested web page + Airmic CiviCRM + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + You do not have permission to access this page + Airmic CiviCRM + + + + 1003 + airmic-app2.codeenigma.net + ^drupal + has answered your question + Airmic CiviCRM + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + ERROR_CONTACT + Airmic CiviCRM + + + + 1002 + ^nslcd + Can't contact LDAP server + Occasional connection closures on LDAP lookups from remote locations + + + + 1002 + ^rngd + FIPS 140-2 failures + rngd-tools + + + + 1002,1003 + ^drupal|wcc + Invalid argument supplied for foreach + Bug in site + + + + 1002 + wt-stage2.codeenigma.net + ^drupal + SearchApiSolrConnection + Badly configured Solr + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + Solr + Badly configured Solr + + + + 1002 + ^drupal + seems to be broken + Bad feeds + + + + 1003 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + ^drupal + swf.swf + Bad URL + + + + 1002 + wt-app3.codeenigma.com|wt-app4.codeenigma.net + ^drupal + SearchApiSolrConnection + Bad Solr config + + + + DatabaseConnection->escapeLike + SQL attempt in form + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + failed with code 410 + Bad twitter feed + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + foreach + Bad code + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + ^drupal + aspxerrorpath + Bad URL + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + stat failed + Missing files + + + + 1002 + redactive-dev2.codeenigma.net + ^drupal + SearchApiException while optimizing Solr server + Missing solr + + + + 1002 + ^drupal + seems to be broken + Bad feeds + + + + 1002 + ^drupal + Bad RequestApache + Bad solr + + + + 1002,1003 + terror|error.asp + The word terror is not considered a hacking attack + + + + 1002 + bad|attack + These words are harmless + + + + 1002 + ^systemd + Failed to read PID from file + Harmless bug + + + + 1002 + swift-app1.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app6.codeenigma.net + Compilation failed + Harmless bug + + + + 1002 + monitor3.codeenigma.net|monitor2.codeenigma.com + ^nagios3 + SERVICE + Noisy Nagios will alert us itself if there is a real problem + + + + 1002 + ^kernel + floppy: error -5 while reading block 0 + Noise + + + + 1002 + ^systemd + Failed to reset devices.list on /system.slice + Noise + + + + 1002 + ^drupal + check the manual that corresponds to your MySQL server version for the right syntax to use near + Buggy code + + + + 1002 + ^drupal|cricknet + Connection refused in SearchApiSolrConnection + Ignore harmless solr error + + + + 1002 + monitor3.codeenigma.net + ^ntop + rrd_update + Ignore nTop messages + + + + 1002 + Illegal string offset + Noisy PHP bug + + + + 1002,1003 + wt-stage2.codeenigma.net + ^drupal + 401 Unauthorized + Noisy stage sites + + + + 1002 + monitor3.codeenigma.net + ^ovpn-openvpn + AUTH_FAILED|TLS Auth Error|PLUGIN_AUTH_USER_PASS_VERIFY failed|SSL3_GET_CLIENT_CERTIFICATE + Failed attempt to login to OpenVPN + + + + 1002 + ^drupal + Error sending e-mail + failed email send + + + + 1002 + jenkins2.codeenigma.net + ^openvpn + fail + Ignore failing VPN + + + + 1002 + monitor3.codeenigma.net + ^ovpn-openvpn + bad packet ID + Flaky OpenVPN clients + + + + 1002 + ^drupal + The file upload failed + Buggy client code or some other app issue + + + + 1003 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + mapping-ISOLatin1Accent.txt + Solr noise + + + + 1002 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + Internal Server Error: Internal Server Error in apachesolr_cron + Solr noise + + + + 1002 + Feed processing failed + App noise + + + + + 1002 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + The configuration file {/var/www/piwik/config/config.ini.php} has not been found or could not be read + Piwik not installed + + + + 1002 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + An unexpected website was found in the request + Piwik fail + + + + 1003 + ^drupal + Reacting on event + Large syslog messages on aps + + + + 1002 + nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net + Connection refused + Solr error + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net|wt-stage2.codeenigma.net + ^drupal + Invalid view mode + Bad code + + + + 1002 + ^freshclam + Can't find or parse configuration file /etc/clamav/clamd.conf + Jessie upgrade + + + + 1003 + nycc-dev2.codeenigma.net|nycc-app3.codeenigma.net + unknown field + Noisy syslog message + + + + 1002 + nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net + Name or service not known + Noisy syslog message + + + + 1002 + nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net + A fast 404 test + Noisy syslog message + + + + 1002 + /usr/bin/filebeat + SSL client failed to connect + Ignore noisy disconnections + + + + 31421 + wt-stage2.codeenigma.net + planer_three_region.inc + Ignore noisy bug on WT stage + + + + 1002 + freshclam + Can't download + Ignore clamav outage + + + + 1002 + freshclam + Connection refused + Ignore clamav outage + + + + 1002 + drupal + redactive-app3.codeenigma.net + Undefined offset + Ignore buggy code + + + + 1002 + monitor3.codeenigma.net|monitor2.codeenigma.com + ^nagios3 + API returned error + Buggy Pingdom or Statuscake + + + + 1002 + wt-stage2.codeenigma.net|wt-app3.codeenigma.net|wt-app4.codeenigma.net + ^drupal + Can't contact LDAP server + Ignore LDAP alerts in Drupal + + + + 1002,1003 + Illegal offset type + Buggy code + + + + 1003 + airmic-app2.codeenigma.net + cron running apachesolr_nodeapi_mass_delete + Harmless message + + + + 1002,1003 + Data too long for column + Noisy MySQL exception + + + + 1002,1003 + wt-stage2.codeenigma.net + swf.swf + More awful coding by apparent professionals + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + TotalRequests Limit exceeded + salesforce issue + + + + 3330 + ^postfix + 451 Internal resource temporarily unavailable + greylisting + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + is not of the type Positive + civicrm issue + + + + 1002 + ^drupal + bytes in _dmemcache_get_pieces() + Bug in memcache module in distributed setups + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + failed to load destination URL + ads issue + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + ^drupal + error404 + false positive + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + chain + false positive + + + + 1003 + ^drupal + nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net + .asp + Bot noise + + + + 1002 + ^varnishd + VCL_MET_BACKEND_ERROR + Normal Varnish reload + + + + 1002 + ^varnishd + backend_error + Normal Varnish reload + + + + 1002 + ^varnishd + synth+error + Normal Varnish reload + + + + 1002 + ^varnishd + Return error code 405 + Normal Varnish reload + + + + 1002 + ^varnishd + h1 + Normal Varnish reload + + + + 1002 + ^varnishd + invisibly + Normal Varnish reload + + + + 1002,1003 + ^drupal + Missing bundle property on entity of type + Buggy site + + + + drupal + php module enabled + PHP module has been enabled on this Drupal site + + + + 1002,1003 + ^drupal + Data truncated for column + Buggy site + + + + 1003 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + EntityStructureWrapper + Buggy site + + + + 1003 + swift-app1.codeenigma.net + ^drupal + doubleclick + False positive + + + + 1002 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + from no-reply@stem.org.uk|Failed sending email + Bad mail attempts + + + + 1002 + govwales-app3.codeenigma.net|govwales-app4.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Request failed: Connection refused + Bad solr + + + + 1002,1003 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + field_organisation_target_id + Buggy site + + + + 1003 + swift-app1.codeenigma.net + ^drupal + flashtalking + Big referer + + + + 1002 + ^drupal|wcc + as the parent data structure is not set + Buggy site + + + + 1002 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + ^snmpd + get_errorcounters + SNMP message + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Recieved + Varnish noise + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Authentication to server failed + Varnish noise + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Socket error + Varnish noise + + + + 40111 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^varnishd + CLI Authentication failure from telnet + Varnish noise + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Request failed + Varnish noise + + + + 1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + CLI telnet + Varnish noise + + + + 1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Expiration was executed + Varnish noise + + + + 1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + Rd ban req.http.host + Varnish noise + + + + 1002 + ^drupal + Unable to render media + Buggy site + + + + 31412,31421,1002 + airmic-app2.codeenigma.net + adserve.inc on line 274 + Buggy site + + + + 1003 + ^varnishd + CLI telnet 127.0.0.1 + Varnish noise + + + + 1002 + redactive-app3.codeenigma.com + ^drupal + Unexpected error the MTL API + 3rd party service down + + + + 1002 + puppet3.codeenigma.net + failedbackupscheck + Harmless script name + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + 500-unexpected-error-occured + Noisy 404s + + + + 1002 + ^dockerd + be forced + Noisy docker cleanup + + + + 1002 + monitor3.codeenigma.net|monitor2.codeenigma.com + ^nagios3 + A TLS packet with unexpected length was received + Flaky network + + + + 1002 + monitor3.codeenigma.net|monitor2.codeenigma.com + ^nagios3 + Empty reply from server + Flaky network + + + + 1002 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + failed to open file handle + Buggy code + + + + 1003 + swift-app1.codeenigma.net + ^drupal-exacom + exa_rules + Noisy code + + + + 1002,1003 + swift-app1.codeenigma.net + ^drupal + Attempting to re-run cron while it is already running + cron collision + + + + 1002 + ^sshd + no matching cipher found + crawler + + + + 1002 + monitor3.codeenigma.net|monitor2.codeenigma.com + ^nagios3 + Was both Username and API Key provided + crawler + + + + 1002 + airmic-app2.codeenigma.net + ^drupal + PEAR_ErrorStack::singleton + deprecated code + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ^drupal + rbipdebug + debug code + + + + 1002 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + __clone method called on non-object in + buggy code + + + + 1002,1003 + wt-stage2.codeenigma.net + ^drupal + SearchApiException while + buggy code + + + + 1002,1003 + airmic-app2.codeenigma.net + ^simplesamlphp + Use of undefined constant AIRMIC_SIMPLESAMLPHP_SAML20_IDP_REMOTE + buggy code + + + + 1002,1003 + airmic-app2.codeenigma.net|hlt-app1.codeenigma.net|rcpch-dev2.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + ^simplesamlphp|SimpleSAMLphp + Error|Headers|errors + buggy code + + + + 1002 + The following module is missing from the file system + Noisy code + + + + 1002,1003 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + METADATANOTFOUND + buggy code + + + + 1003 + no_email_alert + Silence the 1003 alerts + + + + 1002 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + Broken pipe in _clamav_scan_via_daemon + Not a security issue + + + + 1002 + ^drupal|wcc + SMTP error: Could not authenticate + Not a security issue + + + + 1002 + swift-app1.codeenigma.net + ^drupal|wcc + Lost connection to MySQL server during query + MySQL crash or slow queries need optimising + + + + 1002 + wt-stage2.codeenigma.net + ^drupal + Revert + False positive + + + + 31421 + ^php + Call to undefined function apc_clear_cache + False positive + + + + 1002 + Failed opening + Buggy code + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + occurred when trying to fetch + stage_file_proxy error + + + + 1002 + ^dnsmasq + monitor3.codeenigma.net + Operation not permitted + caused by someone in the VPN + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + Error fetching data from + 3rd party service + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + Unknown error + Noise + + + + 1002 + airmic-app2.codeenigma.net + link.vars.php + Noise + + + + 1002 + ^drupal + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + Connection refused + Noise + + + + 1002 + airmic-app2.codeenigma.net + Duplicate entry + Noise + + + + 1002 + ^drupal + redactive-dev2.codeenigma.net + Connection refused + Noise + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + Do_not_worry_about_it + Noise + + + + 1002 + ^rrdcached + monitor3.codeenigma.net + found extra data on update argument + Bug in rrdcached + + + + 1002 + ^rrdcached + monitor3.codeenigma.net + failed with status + Bug in rrdcached + + + + 1002 + nycc-app3.codeenigma.net + libssh2.so + php bug + + + + 1002 + ^drupal + myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net + API call to + Ignore Stem API errors + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net + User account creation error + Ignore Stem API errors + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net + Wrong return data for + Ignore Stem API errors + + + + 1002,1003 + ^drupal + myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net + Base table or view not found + Ignore Stem errors + + + + 1002,1003 + ^drupal + myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net + Error creating/updating Achiever contact + Ignore Stem errors + + + + 1002 + hlt-app1.codeenigma.net + Validation with key + Ignore SimpleSAML errors + + + + 1002 + airmic-app2.codeenigma.net + Cannot redeclare class + PHP site bug + + + + 1002 + redactive-app3.codeenigma.net + Error opening socket + false positives + + + + 1002 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + Login denied from + noisy alert + + + + drupal + Potentially unsafe keys + Potentially unsafe keys found in request parameters + + + + 1002 + AcquiaSearchService + Noisy solr bug + + + + 1002 + govwales-ldn-dev2.codeenigma.net + doc.rtl + Noisy site bug + + + + 1002 + ^drupal + Unknown error + Drupal noise + + + + 1002 + ^CRON + Cron error + Epiqo cronjob noise + + + + 1002 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net|govwales-ldn-app6.codeenigma.net + The resource owner or authorization server denied the request + Noisy + + + + 1002 + SimpleSAML_Error|NOSTATE|UNHANDLEDEXCEPTION + Noise + + + + 1002 + ^drupal + HTTPRedirect + Noise + + + + 1002,1003 + Headers already sent + buggy code + + + + 1002 + access-denied|ShowErrors|failedattempt|User_error|AH00036|AH02032|display_errors|valid-user|RequireAny|FailedURI|user_refused|i2cerrors|aspxerrorpath|No such file or directory|trial-and-error|AH01991|AH00687|Failure.ppt|advagg|fatal-fire|failure.jpg|on_error|judging-our-errors|20fail|locationError|permissiondenied|AH01996|SSL23_GET_CLIENT_HELLO|supermarket-refused|moodle_exception|ERROR_CONTACT_SUPPRESSED|failed=1|_refused|errors-|error-404|error_|-error|98failure|error.png|fatale|_error + normal 403s + + + + 1002,1003 + fci-dev2.codeenigma.net + ^cricknet + Unable to get a data value + buggy code + + + + 1002 + ^ovpn + TLS key negotiation failed|TLS handshake failed + port-scanning VPN servers is noisy + + + + 1002 + ^drupal + wt-app3.codeenigma.net|wt-app4.codeenigma.net + Failed to push json to s3 + Site bug + + + + 1002 + ^drupal + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app4.codeenigma.net + Call to a member function getCompanyNo + Noisy site bug + + + + 1002 + ^cron-nsfailover + Operation not permitted + Noisy stretch alert + + + + 1002 + ^agent + jmxfetch + Noisy alert + + + + 1002 + ^drupal + Queue size + Noisy Drupal alert + + + + 1002 + ^puppet-agent + Composer + Noisy Puppet alert + + + + 1002 + ^dockerd + cgroup path for memory not found + Noisy Docker alert + + + + 1002 + ^puppet-agent + ffaker + Noisy alert + + + + 1002 + myscience-dev3.codeenigma.net|myscience-dev4.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app5.codeenigma.net|myscience-app6.codeenigma.net + Argument 1 passed to + Noisy alert + + + + 1002 + ^drupal + Could not connect to Mailchimp + Noisy alert + + + + 5501,5502 + git2.codeenigma.net|jenkins2.codeenigma.net|iaea-utilities2.codeenigma.net|govwales-utility2.codeenigma.net|nycc-utility2.codeenigma.net|myscience-utility1.codeenigma.net|airmic-utility2.codeenigma.net + ^sshd + for user git + Noisy alert + + + + 5715 + git2.codeenigma.net|jenkins2.codeenigma.net|iaea-utilities2.codeenigma.net|govwales-utility2.codeenigma.net|nycc-utility2.codeenigma.net|myscience-utility1.codeenigma.net|airmic-utility2.codeenigma.net + ^sshd + Accepted publickey for git + Noisy alert + + + + 1002,1003 + govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net + ShieldMiddleware + Noisy alert + + + + 1002 + myscience-dev3.codeenigma.net|myscience-dev4.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app5.codeenigma.net|myscience-app6.codeenigma.net + Problem processing JSON + Noisy alert + + + + 1002 + ^awslogs + is not running + Noisy alert + + + + 1002 + ^amazon-ssm-agent + AccessDeniedException|Failed|error + Noisy alert + + + + + + + + + + drupal + Drupal + Drupal syslog message + + + + 104110,1002 + Login attempt failed + Drupal failed login! + + + + 104120 + + Login attempt failed for admin. + Drupal failed attempt to log in as admin! + + + + 104120 + Possible Drupal brute force attack + (high number of logins). + + + + + 104110 + Illegal choice + Drupal possible input injection (XSS/XSRF) attack! + + + + 104110,1002 + Access denied + Drupal access denied error (permissions rejected). + + + + 104150 + admin/ + Drupal access denied to admin screen. + + + + + + + + + + 31122 + GET /sites/default/files/styles + Unable to generate derived image in Drupal - ignored + + + + 1002 + markets-and-market-failure + False positive due to name of URL + + + + 31151 + iepngfix.htc + Missing image on thorogood site + + + + 31151,31115 + flashtalking/ftlocal.html + Broken ads on revisionworld.co.uk + + + + 31122 + POST /node/add/study_calendar + Broken app on revisionworld.co.uk + + + + 31151 + Preloader10.swf + Broken app on revisionworld.co.uk + + + + 31151,31115 + DARTIframe + Broken app on revisionworld.co.uk + + + + 31151 + wmode=transparent + Broken app on revisionworld.co.uk + + + + 1003 + GET /production/catalog + Puppet check-ins create a large syslog message, ignore it + + + + 1003 + GET /stage/catalog + Puppet check-ins create a large syslog message, ignore it + + + + 1003 + GET /dev/catalog + Puppet check-ins create a large syslog message, ignore it + + + + 31122 + 500 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) + Googlebot 500 errors (on GCL site) + + + + 1002 + LookupIdVisitor + EC Asia errors seen in nginx log + + + + 1003 + GET /issues/context_menu + Large redmine apache access logs + + + + 1003 + GET /projects/gcl + Large redmine apache access logs + + + + 31151 + FlipboardProxy + FlipboardProxy logs 499 error code particularly on GCL + + + + 31153 + trusted-sources + googlebot going bananas on paginated parts of the variantperception site + + + + 31151 + atlas_js_shared.js + Missing javascript file triggering 404 active response + + + + 31122 + GET /en/sites/default/files/styles + imagecache from bots on codeenigma site + + + + 31122 + GET /fr/sites/default/files/styles + imagecache from bots on codeenigma site + + + + 31122 + "POST /user/register HTTP/1.1" 500 5 "http://www.gambling + bots on GCL site + + + + 31152 + enigma3.codeenigma.net + web-accesslog + photos-for-sale + Strange Thorogood URLs interpreted as SQL injection attacks + + + + 31123 + /var/log/nginx/access-support.prod.log + web-accesslog + "GET / HTTP/1.1" 503 + Googlebot hitting a site that is offline + + + + 31123 + /var/log/nginx/access-the-planner.prod.log + web-accesslog + HTTP/1.1" 503 + Site is in maintenance mode + + + + 31122 + /var/log/nginx/access-spring.log + web-accesslog + 500 + Internal server error on this site + + + + 31151 + web-accesslog + GET /sites/default/files/styles + Common location for 403 or 401 codes on Drupal imagecache + + + + 31122 + web-accesslog + ++++++++++++++++++++++++++++Result + Spambots + + + + 31151 + web-accesslog + /var/log/nginx/access-sm.prod.log + feed + RSS crawling bot + no_email_alert + + + + + + 31151 + web-accesslog + /var/log/nginx/access-sm.prod.log + getresource.axd + Broken ad 404ing probably trips OSSEC and user access + + + + 31151 + web-accesslog + /var/log/nginx/access-airmic.prod.log + CRM_Contact_Page + Client doing something with ajax in civicrm that throws spurious 499 codes + + + + 31151 + web-accesslog + /var/log/nginx/access-airmic.prod.log + boost-gzip-cookie-test.html + Client doing something with ajax in civicrm that throws spurious 499 codes + + + + 31151 + /var/log/apache2/access-tcs-intranet.log + itok + Requesting various assets seems to result in a 403 at least temporarily, trips OSSEC and likely blocks users + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + admanmedia + Residual 404s on WT due to re-used IP on loadbalancer from a previous customer + + + + 31151 + /var/log/nginx/access-bigpicture.prod.log + eot + 404s on Big Picture site + + + + 31151 + /var/log/nginx/access-bigpicture.prod.log + fast_facts/json/all + 403s on Big Picture site + + + + 31101 + Microsoft Office Protocol Discovery + Probably an OPTIONS request from Microsoft Office Protocol Discovery user-agent + + + + 31151 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + admanmedia + Residual 404s on WT due to re-used IP on loadbalancer from a previous customer + + + + 31153 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + admanmedia + Residual 404s on WT due to re-used IP on loadbalancer from a previous customer + + + + 31122 + /var/log/nginx/access-sm.prod.log + HTTP/1.1" 500 + 500s on Supply Management site + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + message-24-error.png + harmless jpeg + + + + 31151 + /var/log/nginx/access.org.log|/var/log/nginx/access-actionaid.org.log + aaidonazione/confirmDonation.do?codeTransaction + 404s every 30 min or so on ActionAid from Italy to some donation page + + + + 31151 + OPTIONS /system + Microsoft silliness + + + + 31151,31122 + PROPFIND /system + Microsoft silliness + + + + 31151 + chsoc-app2.codeenigma.net + /user/login/sso + SSO component on CHSOC sites + + + + 31151 + chsoc-app2.codeenigma.net + OPTIONS + Misbehaving browsers on chsoc + + + + 1002 + Method has been changed to GET + Ignore broken links in linkchecker module reporting to watchdog + + + + 31101 + web-accesslog + /bin/bash + Shellshock attempt + + + + 31101 + redactive-app3.codeenigma.net + web-accesslog + bkg-header.png + 404s + + + + 31101 + /var/log/nginx/access-ecg.log + web-accesslog + medmastery.com + 403s + + + + 31101 + /var/log/nginx/access-ecg.log + web-accesslog + course + 403s + + + + 1003 + gclid + Ignore large weblog with big Referer (google ad?) + + + + 31101 + redactive-app3.codeenigma.net + web-accesslog + GET /news-feed.rss + ignore 404 + + + + 31101 + redactive-app3.codeenigma.net + web-accesslog + GET /newsrss.rss + ignore 404 + + + + 31530,31108 + ] "POST \S+.php\.+HTTP/1.\." 200 + POST request to a file ending in .php extension + + + + 31530,31108 + ] "POST \S+.html + POST request to a file ending in .html extension + no_email_alert + + + + 31122 + redactive-app3.codeenigma.net + \\x + 500 errors with strange characters in the URLs, seems to recur on occasion + + + + 101100,1002 + jstats|kibana|geocoding + Stats + + + + 101100 + statistics.php + Stats + + + + 101100 + wp-admin + Normal Wordpress activity + + + + 31101 + redactive-app3.codeenigma.net + web-accesslog + 85.232.51.149 + GET /opinion/header + 404s + + + + 31122,1002 + /var/log/nginx/access-mapmeo.log|/var/log/nginx/access-www.meinestelle.de.log|/var/log/nginx/access-empla.log|/var/log/nginx/access-unicum.log + hybridauth + Broken Epiqo app + + + + 1002,1003,31123 + terror|bad|attack|error.asp|errordetail1|Error.aspx|error.svg|planning-error|failures|error500|failed_uli|channelling-failure|Error%20|-failure|-failed|-illegal|search-error|failure- + The word terror is not considered a hacking attack + + + + 101100 + redactive-app3.codeenigma.net|redactive-dev2.codeenigma.net + emit.php + Stats + + + + 31101 + redactive-dev2.codeenigma.net|redactive-app3.codeenigma.net + web-accesslog + feed + ignore 404 + + + + 30101 + /var/log/apache2/error.log + server reached MaxClients setting, consider raising the MaxClients setting + MaxClients threshold reached + + + + 31122 + /var/log/nginx/access-revisionworld.log + Buggy revisionworld + + + + /var/log/nginx/access-scambs-drupal.prod.log + POST /user + no_email_alert + Ignore user post + + + + 101131 + Possible Drupal brute force attack + (high number of requests to /user). + no_email_alert + + + + 1002 + /var/log/nginx/access-actionaid.org.log + abad|ebad + Ignore URL + + + + 101100 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + machform + Machform is OK to POST to + + + + 31122 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + piwik.php + Piwik broken or not installed + + + + 1003 + search.yahoo.com + Big referer + + + + 101055 + OPTIONS + OPTIONS request from Microsoft Office Protocol Discovery user-agent + + + + 101100 + airmic-app2.codeenigma.net|enigma3.codeenigma.net + xmlrpc + POST to apparently OK script + + + + 1003 + jsredir + Noisy Yandex + + + + 1002 + /misc/message-24-error.png + false positive word + + + + 31533 + POST /batch? + Normal to see high rate of POSTs to batch pages in Drupal + + + + 31122 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + mwt_republish/nojs + Buggy code + + + + 31151 + /var/log/nginx/access-corporate.prod.log + Ignore 404s on newly launched site for now + + + + 101100 + jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net + limesurvey + Normal POST request + + + + 1002 + /var/log/apache2/error-iaea.master.log + from remote server + Bugs with IAEA remote legacy app + + + + 1003 + /var/log/nginx/access-unitedway.log + job_geo_location + Large nginx log messages + + + + 31161 + swift-app1.codeenigma.net + sites/revisionworld.com/files + Deliberate 501 code on revisionworld.com + + + + 1002 + wt-app3.codeenigma.net|wt-app4.codeenigma.net + mwt-republish-img + Noisy referer + + + + 31533 + /var/log/nginx/access-stem.prod.log + js/shs/json + Normal high rate of POSTs to Stem site + + + + 31122 + /var/log/nginx/access-stem.prod.log + system/ajax + Buggy site + + + + 101100 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + ^drupal + idp + Big IDP request + + + + 1002,1003 + redactive-dev2.codeenigma.net + ^drupal + 401 Unauthorized + Noisy stage sites + + + + 31151,31101 + /var/log/nginx/access-smartsolutions.prod.log + Ignore 40X in logs on nycc-app1 smartsolution site, there are too many 401s/404s due to site rebuild + + + + 101100 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + drupalauth + SAML auth + + + + 31151,31152,31153,31154 + OpenVAS + 127.0.0.1 + no_email_alert + Too noisy + + + + 1003 + myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net + SSOService.php + SAML auth + + + + 1002 + /var/log/nginx/access-govwalesd7.master.log + care-and-support-business-failure-wales-regulations-2015-and-care-and-support + False positive + + + + 1002 + /var/log/nginx/access-sono.log + abdominal + False positive + + + + 31533 + /var/log/nginx/access-bookworks.log + publishing + Frequent high rate of POSTs + + + + 31122 + /var/log/nginx/access-hosting-dashboard.prod.log + StatusCake + bad deploy + + + + 31123 + /var/log/nginx/access-ai.prod.log|/var/log/apache2/access-cwh.prod.log + web-accesslog + maint mode + + + + 31123 + /var/log/nginx/access-stem.amb_dev.log + web-accesslog + maint mode + + + + 31101,31151 + web-accesslog + /var/log/nginx/access-recruiter.prod.log + rss + RSS crawling bot + no_email_alert + + + + 31101,31151 + web-accesslog + /var/log/nginx/access-recruiter.prod.log + national-news.xml + RSS crawling bot + no_email_alert + + + + 31101,31151 + web-accesslog + /var/log/nginx/access-thorogood.prod.log + leaflet + Buggy + + + + 31122 + web-accesslog + /var/log/apache2/access-festival_micro.prod.log + Buggy + + + + 31101,31151 + web-accesslog + /var/log/nginx/access-wcc.ce-prod.log + panels|planning|guide + Buggy + + + + 31122 + web-accesslog + /var/log/nginx/access-bookworks.log + imagecache + Meh + + + + 31533 + /var/log/nginx/access-rcm.prod.log + POST /cas/login + Normal to see high rate of POSTs to /cas/login pages + + + + 31122 + /var/log/nginx/access-hosting-dashboard.prod.log + favicon.png + Buggy code + + + + 31533 + /var/log/nginx/access-stem.prod.log + POST /plupload-handle-uploads + Normal to see high rate of POSTs to /plupload-handle-uploads pages + + + + 31123 + /var/log/nginx/access-hav-j150709.prod.log|/var/log/nginx/access-pri-j150281.prod.log + web-accesslog + site offline + + + + 1002 + /var/log/nginx/access-the-planner.prod.log + failure|error|refused|denied|illegal + false positive + + + + 1002 + message-16-error.png + false positive in omega theme + + + + 1002,31122 + /var/log/nginx/access-mapmeo.log + jserror + false positive + + + + 31122 + /var/log/apache2/access-cwh.prod.log + major-works + site bug + + + + 101100 + enigma3.codeenigma.net + wp-cron.php + Wordpress + + + + 31151 + Jorgee + no_email_alert + Noisy scanner + + + + 31122,1002 + /var/log/nginx/access-unicum.log + inhalt + False positive + + + + 31122,1002 + /var/log/nginx/access-platform-prod.log + api + Noise I cannot do anything about + + + + 31122,1002 + /var/log/nginx/access-rcm.prod.log + print|news-views-and-analysis|rss + Noise I cannot do anything about + + + + 31122,1002 + /var/log/nginx/access-platform-prod.log + platform + Noise I cannot do anything about + + + + 31151,31101 + /var/log/nginx/access-platform-prod.log + Ignore 40X on STEM platform + + + + 31123 + /var/log/nginx/access-actionaid.org.log|/var/log/nginx/access.org.log + Ignore 503s on AAI (bots being rate-limited) + + + + 31122,1002 + /var/log/nginx/access-ecgstage.log + chargebee + bug on ECG stage site + + + + 1002 + /var/log/nginx/access-govwalesd8.master.log + common-errors + false positive + + + + 1002 + /var/log/nginx/access-cambridge.gov.uk.prod.log + BuildFailureDetector + False positive + + + + 31108,31101 + 23value|23default_value|23markup|element_parents=%23 + web-accesslog + RCE attempt maybe + no_email_alert + + + + 31122 + /var/log/apache2/access-rcm.prod.log + rss.xml + Site bug + + + + 31122 + myscience-dev4.codeenigma.net + Site bug + + + + 31122 + /var/log/nginx/access-jpoesen.com.log + web-accesslog + comment/reply + Internal server error on this site + + + + 31122 + /var/log/apache2/access-iaea.master.log|/var/log/apache2/access-iaea.drupal-direct.log + Buggy site + + + + 1002 + client denied by server configuration + 403d response + no_email_alert + + + + 1002 + 2fa.codeenigma.net + wsgi:error + Bugs in LinOTP + + + + 31530 + /var/log/nginx/access-corporate.prod.log + general-enquiry + Possible spamming of WT corporate contact form + + + + + 1002 + access-denied|ShowErrors|failedattempt|User_error|AH00036|AH02032|display_errors|valid-user|RequireAny|FailedURI|user_refused|i2cerrors|aspxerrorpath|No such file or directory|trial-and-error|AH01991|AH00687|AH01276|Failure.ppt|advagg|fatal-fire|failure.jpg|on_error|judging-our-errors|20fail|locationError|permissiondenied|AH01996|SSL23_GET_CLIENT_HELLO|supermarket-refused|moodle_exception|ERROR_CONTACT_SUPPRESSED|failed=1|_refused|errors-|error-404|error_|-error|98failure|error.png|fatale|_error + normal 403s + + + + /var/log/apache2/access-cwh.prod.log + Ignore 404s on cwh for now to avoid blocking users being proxied from HAproxy + + + + /var/log/apache2/access-wcc.ce-prod.log + 31101,31151,1002 + fa-solid-900 + Ignore missing font files on new WCC site + + + + 101100 + /var/log/nginx/access-wcc.ce-prod.log|/var/log/nginx/access-johnthorogood.prod.log + wp-login.php + False positive + + + + 31101,31151,1002 + /var/log/nginx/access-tephinet.master.log|/var/log/nginx/access-tephinet.staging.log + GET /sites/tephinet/files/styles + Ignore missing style files on Mantaray Tephinet site + + + + 31151,31101 + wt-stage2.codeenigma.net + Ignore 40X in logs on wt-stage2, there are too many 401s/404s due to misbehaving apps + + + + + + + + + 31120 + ^502 + Web server 502 error code (Bad gateway). + + + + 31124 + /var/log/nginx/access-actelion.log + web-accesslog + Ignore 502s that we can't be responsible for (legacy sites) + + + + 31123 + /var/log/nginx/access-nycc.prod.log + Strange 503s + + + + + + + 521 + scantem + Whitelist alerts containing 'scantem' in the title. + no_full_log + + + From 4df8e0b418005a2715f8db4a8a30902ac4edefea Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 18 Oct 2024 12:18:49 +0200 Subject: [PATCH 243/331] Updating-gitlab-runner-env (#2031) --- roles/debian/gitlab_runner/templates/override.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/gitlab_runner/templates/override.conf.j2 b/roles/debian/gitlab_runner/templates/override.conf.j2 index c28213f43..c4c775909 100644 --- a/roles/debian/gitlab_runner/templates/override.conf.j2 +++ b/roles/debian/gitlab_runner/templates/override.conf.j2 @@ -1,3 +1,4 @@ [Service] ExecStart= -ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "{{ gitlab_runner.runner_workingdir }}" "--config" "{{ gitlab_runner.runner_config }}" "--service" "gitlab-runner" "--user" "{{ gitlab_runner.username }}" +ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "{{ gitlab_runner.runner_workingdir }}" "--config" "{{ gitlab_runner.runner_config }}" "--service" "gitlab-runner" "--user" "{{ gitlab_runner.username }}" +Environment="HOME=/home/gitlab-runner" From f4a2eb1960f9212d2b4c23395dcca63d5e879ed4 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Mon, 21 Oct 2024 12:19:08 +0100 Subject: [PATCH 244/331] r70987-decom-vpn-guest (#2034) --- roles/aws/aws_acl/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index c9be777d3..73bf1ad91 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -18,7 +18,6 @@ aws_acl: list: - 3.11.82.252/32 # main VPN - 159.100.242.248/32 # backup VPN, bastion2 - - 3.8.9.162/32 # guest VPN country_codes: - name: "allowed-countries" action: allow From 4091736e38acdc01c40db0eb657a7df7509976bf Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Mon, 21 Oct 2024 16:58:17 +0100 Subject: [PATCH 245/331] r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure --- .../tasks/testing_resources.yml | 2 +- roles/debian/system/README.md | 8 +- roles/debian/system/defaults/main.yml | 1 + roles/debian/system/tasks/main.yml | 121 ++++++++++++++++++ .../debian/system/templates/50-static-init.j2 | 7 + .../99-disable-network-config.cfg.j2 | 2 + .../templates/interfaces-nohetznerdhcp.j2 | 9 ++ 7 files changed, 148 insertions(+), 2 deletions(-) create mode 100644 roles/debian/system/templates/50-static-init.j2 create mode 100644 roles/debian/system/templates/99-disable-network-config.cfg.j2 create mode 100644 roles/debian/system/templates/interfaces-nohetznerdhcp.j2 diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 99e2cc425..085f6ba75 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -26,7 +26,7 @@ amazon.aws.ec2_vpc_subnet_info: region: "{{ _aws_region }}" filters: - vpc-id: "{{ _main_vpc_info.vpcs[0].vpc_id}}" + vpc-id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" register: _main_subnets_info - name: Create SG for restored instances. diff --git a/roles/debian/system/README.md b/roles/debian/system/README.md index 7a7f31327..b2c326095 100644 --- a/roles/debian/system/README.md +++ b/roles/debian/system/README.md @@ -1,5 +1,10 @@ # System This role provides a means of applying system variables to servers. +Currently, the following entities can be managed with the role: + +- Force IPv4 (noipv6) +- Force Static IP configuration for Hetzner Cloud systems (nohetznerdhcp) + @@ -9,8 +14,9 @@ This role provides a means of applying system variables to servers. --- system: noipv6: false + nohetznerchdp: false ``` -~~~ + diff --git a/roles/debian/system/defaults/main.yml b/roles/debian/system/defaults/main.yml index e7b5bd20c..9dbc2975f 100644 --- a/roles/debian/system/defaults/main.yml +++ b/roles/debian/system/defaults/main.yml @@ -1,3 +1,4 @@ --- system: noipv6: false + nohetznerdhcp: false diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml index 46fdfc10e..c534306d7 100644 --- a/roles/debian/system/tasks/main.yml +++ b/roles/debian/system/tasks/main.yml @@ -10,3 +10,124 @@ name: net.ipv6.conf.all.disable_ipv6 value: "1" when: system.noipv6 + +- name: Install dmidecode. + ansible.builtin.apt: + pkg: dmidecode + state: present + when: + - system.nohetznerdhcp + +- name: Check if the system is a Hetzner Cloud server. + ansible.builtin.shell: | + set -o pipefail + dmidecode | awk '/System Information/{getline;print;getline;print}' | sed 's/[^,:]*://g' | sed 's/^ //g' | tr '\n' ' ' | grep -q "Hetzner vServer" + args: + executable: /bin/bash + register: hetznercloudcheck + failed_when: false + when: + - system.nohetznerdhcp + +- name: Print if Hetzner Cloud server is detected. + debug: + msg: "This is a Hetzner Cloud server" + when: hetznercloudcheck.rc == 0 + +- name: Install dhcpcd. + ansible.builtin.apt: + pkg: dhcpcd5 + state: present + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Get default NIC. + ansible.builtin.shell: | + set -o pipefail + ifacecol=$(route | awk -v b="Iface" '{for (i=1;i<=NF;i++) { if ($i == b) { print i } }}') + route | awk -v ifacecol="$ifacecol" '$1 == "default" {print $ifacecol}' + register: dhcpdefaultnic + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Get IP from DHCP server. + ansible.builtin.shell: | + set -o pipefail + dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_ip_address=\K\S+' | sed "s/'//g" + register: dhcpipaddressoffer + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Get Netmask from DHCP server. + ansible.builtin.shell: | + set -o pipefail + dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_subnet_mask=\K\S+' | sed "s/'//g" + register: dhcpnetmaskoffer + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Get GATEWAY from DHCP server. + ansible.builtin.shell: | + set -o pipefail + dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_routers=\K\S+' | sed "s/'//g" + register: dhcpgatewayoffer + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Get DNS servers from DHCP server. + ansible.builtin.shell: | + set -o pipefail + dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -P 'new_domain_name_servers=\K\S+' | sed "s/new_domain_name_servers=//g" | sed "s/'//g" + register: dhcpnameserversoffer + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Copy No-DHCP Network Interfaces config. + ansible.builtin.template: + src: "interfaces-nohetznerdhcp.j2" + dest: "/etc/network/interfaces" + owner: root + group: root + mode: 0644 + force: true + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Delete Cloud Init script. + ansible.builtin.file: + path: /etc/network/interfaces.d/50-cloud-init + state: absent + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Copy No-DHCP Network Interfaces include config. + ansible.builtin.template: + src: "50-static-init.j2" + dest: "/etc/network/interfaces.d/50-static-init" + owner: root + group: root + mode: 0644 + force: true + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 + +- name: Copy disable cloud init config. + ansible.builtin.template: + src: "99-disable-network-config.cfg.j2" + dest: "/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg" + owner: root + group: root + mode: 0644 + force: true + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 diff --git a/roles/debian/system/templates/50-static-init.j2 b/roles/debian/system/templates/50-static-init.j2 new file mode 100644 index 000000000..2e286641e --- /dev/null +++ b/roles/debian/system/templates/50-static-init.j2 @@ -0,0 +1,7 @@ +auto {{ system.dhcpdefaultnic.stdout }} +iface {{ system.dhcpdefaultnic.stdout }} inet static + address {{ system.dhcpipaddressoffer.stdout }} + netmask {{ system.dhcpnetmaskoffer.stdout }} + gateway {{ system.dhcpgatewayoffer.stdout }} + pointopoint {{ system.dhcpgatewayoffer.stdout }} + dns-nameservers {{ system.dhcpnameserversoffer.stdout }} diff --git a/roles/debian/system/templates/99-disable-network-config.cfg.j2 b/roles/debian/system/templates/99-disable-network-config.cfg.j2 new file mode 100644 index 000000000..c4b7a56a6 --- /dev/null +++ b/roles/debian/system/templates/99-disable-network-config.cfg.j2 @@ -0,0 +1,2 @@ +network: + config: disabled diff --git a/roles/debian/system/templates/interfaces-nohetznerdhcp.j2 b/roles/debian/system/templates/interfaces-nohetznerdhcp.j2 new file mode 100644 index 000000000..388f1c5f1 --- /dev/null +++ b/roles/debian/system/templates/interfaces-nohetznerdhcp.j2 @@ -0,0 +1,9 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5) + +# Include files from /etc/network/interfaces.d: +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback From 62e947d646aa31fc0f32241d7ed0ff86c3c6fe95 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:22:20 +0100 Subject: [PATCH 246/331] fix pipefail with bash (#2038) --- roles/debian/system/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml index c534306d7..6a8e3488e 100644 --- a/roles/debian/system/tasks/main.yml +++ b/roles/debian/system/tasks/main.yml @@ -47,6 +47,8 @@ set -o pipefail ifacecol=$(route | awk -v b="Iface" '{for (i=1;i<=NF;i++) { if ($i == b) { print i } }}') route | awk -v ifacecol="$ifacecol" '$1 == "default" {print $ifacecol}' + args: + executable: /bin/bash register: dhcpdefaultnic when: - system.nohetznerdhcp @@ -56,6 +58,8 @@ ansible.builtin.shell: | set -o pipefail dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_ip_address=\K\S+' | sed "s/'//g" + args: + executable: /bin/bash register: dhcpipaddressoffer when: - system.nohetznerdhcp @@ -65,6 +69,8 @@ ansible.builtin.shell: | set -o pipefail dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_subnet_mask=\K\S+' | sed "s/'//g" + args: + executable: /bin/bash register: dhcpnetmaskoffer when: - system.nohetznerdhcp @@ -74,6 +80,8 @@ ansible.builtin.shell: | set -o pipefail dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -oP 'new_routers=\K\S+' | sed "s/'//g" + args: + executable: /bin/bash register: dhcpgatewayoffer when: - system.nohetznerdhcp @@ -83,6 +91,8 @@ ansible.builtin.shell: | set -o pipefail dhcpcd -T {{ dhcpdefaultnic.stdout }} 2>&1 | grep -P 'new_domain_name_servers=\K\S+' | sed "s/new_domain_name_servers=//g" | sed "s/'//g" + args: + executable: /bin/bash register: dhcpnameserversoffer when: - system.nohetznerdhcp From ecf8d4810b63af5b5442fc5cf66dfc4823a86852 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:50:25 +0100 Subject: [PATCH 247/331] fix var in templ (#2040) --- roles/debian/system/templates/50-static-init.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/debian/system/templates/50-static-init.j2 b/roles/debian/system/templates/50-static-init.j2 index 2e286641e..267b50cfe 100644 --- a/roles/debian/system/templates/50-static-init.j2 +++ b/roles/debian/system/templates/50-static-init.j2 @@ -1,7 +1,7 @@ -auto {{ system.dhcpdefaultnic.stdout }} -iface {{ system.dhcpdefaultnic.stdout }} inet static - address {{ system.dhcpipaddressoffer.stdout }} - netmask {{ system.dhcpnetmaskoffer.stdout }} - gateway {{ system.dhcpgatewayoffer.stdout }} - pointopoint {{ system.dhcpgatewayoffer.stdout }} - dns-nameservers {{ system.dhcpnameserversoffer.stdout }} +auto {{ dhcpdefaultnic.stdout }} +iface {{ dhcpdefaultnic.stdout }} inet static + address {{ dhcpipaddressoffer.stdout }} + netmask {{ dhcpnetmaskoffer.stdout }} + gateway {{ dhcpgatewayoffer.stdout }} + pointopoint {{ dhcpgatewayoffer.stdout }} + dns-nameservers {{ dhcpnameserversoffer.stdout }} From 13bf15a292462a27b81ac90f1661a1cbbb289552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 28 Oct 2024 14:56:59 +0100 Subject: [PATCH 248/331] R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar --- .../nginx/templates/vhost_letsencrypt.j2 | 8 +++++--- roles/debian/nginx/templates/vhosts.j2 | 5 +++-- roles/debian/ssl/tasks/letsencrypt.yml | 18 ++++++++++++++---- roles/debian/ssl/templates/le_cron.sh.j2 | 16 +++------------- 4 files changed, 25 insertions(+), 22 deletions(-) diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index b3f85d544..342041489 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -6,7 +6,9 @@ server { error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; # Proxy for certbot (LetsEncrypt) - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; - } + {% if domain.ssl.web_server | default('standalone') == 'standalone' %} + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; + } + {% endif %} } diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2 index 68f423926..58344539a 100644 --- a/roles/debian/nginx/templates/vhosts.j2 +++ b/roles/debian/nginx/templates/vhosts.j2 @@ -30,14 +30,15 @@ server { include "/etc/nginx/conf.d/{{ domain.project_type }}"; include "/etc/nginx/conf.d/_common"; {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %} -{% if domain.ssl.web_server | default('standalone') == 'standalone' %} + # Proxy for certbot (LetsEncrypt) location ^~/.well-known/acme-challenge/ { auth_basic off; + {% if domain.ssl.web_server | default('standalone') == 'standalone' %} proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; + {% endif %} } {% endif %} -{% endif %} {% if domain.basic_auth.auth_enabled is defined and domain.basic_auth.auth_enabled %} {% if _profile == 'asg' and domain.is_default is defined and domain.is_default %} diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 8d3f26634..ae30d4705 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -59,7 +59,7 @@ python_pip_packages: packages: - name: "certbot-{{ _ssl_web_server }}" - when: _ssl_web_server != "standalone" # there is no certbot-standalone package in PyPi + when: not (_ssl_web_server == "standalone" or _ssl_web_server == "webroot") - name: Define SSL base path. ansible.builtin.set_fact: @@ -88,6 +88,10 @@ - not _letsencrypt_cert.stat.exists - _ssl_services | length > 0 +- name: Clean up _letsencrypt_domain_string variable . + ansible.builtin.set_fact: + _letsencrypt_domain_string: "" + - name: Build certificate domains string. ansible.builtin.set_fact: _letsencrypt_domain_string: "{{ _letsencrypt_domain_string | default('') + ' -d ' + certificate_domain }}" @@ -96,10 +100,17 @@ loop_var: certificate_domain when: not _letsencrypt_cert.stat.exists -- name: Register certificate bypassing web server if needed. +- name: Register certificate bypassing web server if needed - standalone. ansible.builtin.command: "{{ _venv_path }}/bin/certbot {{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}" when: - not _letsencrypt_cert.stat.exists + - ssl.web_server == "standalone" + +- name: Register certificate bypassing web server if needed - webroot. + ansible.builtin.command: "{{ _venv_path }}/bin/certbot certonly --webroot -w {{ domain.webroot }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} {{ _letsencrypt_domain_string }}" + when: + - not _letsencrypt_cert.stat.exists + - ssl.web_server == "webroot" - name: Restart services. ansible.builtin.service: @@ -112,11 +123,10 @@ - not _letsencrypt_cert.stat.exists - _ssl_services | length > 0 -# Because of the scripted command each SSL implementation needs it's own uniquely named cron script. - name: Create the certbot renewal script. ansible.builtin.template: src: le_cron.sh.j2 - dest: "/usr/local/bin/le_cron_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}.sh" + dest: "/usr/local/bin/le_cron.sh" owner: root group: root mode: 0755 diff --git a/roles/debian/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2 index 71ba6355a..14501b22c 100644 --- a/roles/debian/ssl/templates/le_cron.sh.j2 +++ b/roles/debian/ssl/templates/le_cron.sh.j2 @@ -17,20 +17,8 @@ send_email_notification() { # Give Nginx more time to stop before certbot sleep 5 -# build bash array of domains -SITES=() -{% for domain in _ssl_domains %} -SITES+=("{{ domain }}") -{% endfor %} - -# turn array into certbot compatible sites string -SITESSTRING="" -for site in ${SITES[@]}; do - SITESSTRING+=" -d $site" -done - # run certbot and capture the output -certbot_output=$( {{ _venv_path }}/bin/certbot {{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING 2>&1 ) +certbot_output=$( {{ _venv_path }}/bin/certbot renew 2>&1 ) # Capture exit code of Certbot command certbot_exit_code=$? @@ -54,3 +42,5 @@ if [ $certbot_exit_code -ne 0 ]; then $certbot_output" send_email_notification "$recipient" "$subject" "$body" fi + +/usr/sbin/service nginx reload From 6731f915e2a7eddf8005f14da74f1f36564475db Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 29 Oct 2024 15:00:29 +0100 Subject: [PATCH 249/331] Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax --- .../templates/var-ossec-rules-local_rules.xml | 2805 +---------------- 1 file changed, 24 insertions(+), 2781 deletions(-) diff --git a/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml b/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml index f9179432a..87f81605d 100644 --- a/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml +++ b/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml @@ -1,2783 +1,26 @@ - - + - - - - - - - - - - - - - - - - - 1002 - ^pound - Connection timed out - Pound SSL network event ignored - - - - 1002 - ^pound - Connection reset by peer - Pound SSL network event ignored - - - - 1002 - ^pound - e500 error copy client cont to - Pound SSL network event ignored - - - - 1002 - ^pound - error copy chunk cont - Pound SSL network event ignored - - - - 1002 - ^pound - error copy server cont - Pound SSL network event ignored - - - - 1002 - ^pound - /misc/message-24-error.png - Pound SSL network event ignored - - - - 1002,31421 - Call to undefined function - PHP bugs - - - - 1002 - ^drupal - access denied - Access denied to parts of gcl website - - - - 1002 - ^drupal - Internal server error for link - Broken links on GCL via linkchecker module - - - - 1002 - Illegal choice - Message we cannot do anything about - - - - 1002 - ^drupal - XML_ERR_NAME_REQUIRED - Feed problems on enigma6 eiu-research - - - - 1003 - ^drupal - loginticket_login result on fastlogin_init - Very large syslog messages tripping up OSSC on gcl-app1 - - - - 1003 - ^drupal - Call of SugarCRM function - Very large syslog messages tripping up OSSC on gcl-app1 - - - - 1002 - ^drupal - Login attempt (using the "notifications" login ticket - Failed attempt to login to GCL using notifications tickets - - - - 1002 - ^drupal - mollom.getImageCaptcha - Mollom outages - - - - 1002 - ^drupal - All servers unavailable - Mollom outages - - - - 1002 - ^drupal - All servers unreachable or returning errors - Mollom outages - - - - 1002 - ^drupal - mollom.getServerList - Mollom outages - - - - 1002 - ^drupal - Oracle_Project_Failure_Cover - Filename with the word failure - - - - 1003 - ^ovpn-openvpn - PUSH_REPLY - Large OpenVPN syslog message, pushing routes to the user - - - - 1003 - ^drupal - gcl.prod.codeenigma.com:80/sugarcrm - Large SugarCRM messsages - - - - 1003 - ^drupal - www.gamblingcompliance.com/node - Large Drupal watchdog messages - - - - 1003 - ^drupal - www.gamblingcompliance.com/contact - Large Drupal watchdog messages - - - - 1003 - ^drupal - www.gamblingdata.com/contact - Large Drupal watchdog messages - - - - 40101 - ^su - root:nobody - Crons from cron.daily - - - - 1003 - ^drupal - www.gamblingcompliance.com/search/site - Large Drupal watchdog messages - - - - 1003 - ^drupal - Searched Site for - Large Drupal watchdog messages - - - - 1002,1003 - ^drupal - disallowed Unicode code - Unicode errors due to sites that need updating so they work with current PHP versions - - - - 1002 - ^drupal|wcc - Undefined property - PHP warnings and errors - - - - 1002 - ^drupal|wcc - Undefined variable - PHP warnings and errors - - - - 1002,1003 - ^drupal|wcc - Trying to get property of non-object - PHP warnings and errors - - - - 1002 - ^drupal|wcc - to be array, - PHP warnings and errors - - - - 1002 - ^/USR/SBIN/CRON - (CRON) error (grandchild # - Failing crontabs - - - - 1002 - ^ovpn-openvpn - Connection refused - Disconnecting VPN clients - - - - 1002 - ^drupal - Use of undefined constant - PHP bugs in EC sites - - - - 1002,1003 - ^drupal|wcc - Undefined index - PHP bugs in sites - - - - 1002 - ^ovpn-openvpn - TLS Error - Disconnecting VPN clients - - - - 1002 - ^ovpn-openvpn - tls-error - Disconnecting VPN clients - - - - 1002 - ^ovpn-openvpn - Bad LZO decompression header - Disconnecting VPN clients - - - - 1003 - ^drupal - Retrieved new CAPTCHA - Verbose Mollom logging - - - - 1003 - ^drupal - Incorrect CAPTCHA - Verbose Mollom logging - - - - 1003 - rest.mollom.com - Mollom messages are often too verbose and trip OSSEC on 1003 - - - - 1002 - Finished processing scheduled jobs - Job Scheduler in Drupal uses the word 'failed' even when 100% success. Ignore - - - - 1002 - Preventing ms_DRBD_NFS from re-starting on - monitors can't run resources - - - - 1002 - ^nslcd - request denied by validnames option - Jenkins Duplicity jobs trigger nslcd verbose message - - - - 1002 - ^php - No buffer to delete in /usr/share/php/pearcmd.php on line 19 - Ignore buggy pearcmd.php on PHP 5.4 - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - failed with code - Buggy feed app - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - Apache Solr - Solr comm fail - - - - 1003 - airmic-app2.codeenigma.net - ^drupal - IDS Detector Details - airmic civicrm - - - - 1003 - airmic-app2.codeenigma.net - ^drupal - apachesolr_search - airmic solr - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - oauth_consumer_key - airmic mollom - - - - 1002 - ^nagios3 - SOLR Cores - Ignore automatic SOLR alerts on midnight - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - The page you requested is currently unavailable - civicrm - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - Terrorism - civicrm - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - DB Error: already exists - civicrm - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - Could not find valid value for id - civicrm - - - - 1003 - airmic-app2.codeenigma.net - ^drupal - backTrace - civicrm - - - - 1003 - airmic-app2.codeenigma.net - ^drupal - civicrm - Airmic CiviCRM - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - We can't load the requested web page - Airmic CiviCRM - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - You do not have permission to access this page - Airmic CiviCRM - - - - 1003 - airmic-app2.codeenigma.net - ^drupal - has answered your question - Airmic CiviCRM - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - ERROR_CONTACT - Airmic CiviCRM - - - - 1002 - ^nslcd - Can't contact LDAP server - Occasional connection closures on LDAP lookups from remote locations - - - - 1002 - ^rngd - FIPS 140-2 failures - rngd-tools - - - - 1002,1003 - ^drupal|wcc - Invalid argument supplied for foreach - Bug in site - - - - 1002 - wt-stage2.codeenigma.net - ^drupal - SearchApiSolrConnection - Badly configured Solr - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - Solr - Badly configured Solr - - - - 1002 - ^drupal - seems to be broken - Bad feeds - - - - 1003 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - ^drupal - swf.swf - Bad URL - - - - 1002 - wt-app3.codeenigma.com|wt-app4.codeenigma.net - ^drupal - SearchApiSolrConnection - Bad Solr config - - - - DatabaseConnection->escapeLike - SQL attempt in form - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - failed with code 410 - Bad twitter feed - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - foreach - Bad code - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - ^drupal - aspxerrorpath - Bad URL - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - stat failed - Missing files - - - - 1002 - redactive-dev2.codeenigma.net - ^drupal - SearchApiException while optimizing Solr server - Missing solr - - - - 1002 - ^drupal - seems to be broken - Bad feeds - - - - 1002 - ^drupal - Bad RequestApache - Bad solr - - - - 1002,1003 - terror|error.asp - The word terror is not considered a hacking attack - - - - 1002 - bad|attack - These words are harmless - - - - 1002 - ^systemd - Failed to read PID from file - Harmless bug - - - - 1002 - swift-app1.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app6.codeenigma.net - Compilation failed - Harmless bug - - - - 1002 - monitor3.codeenigma.net|monitor2.codeenigma.com - ^nagios3 - SERVICE - Noisy Nagios will alert us itself if there is a real problem - - - - 1002 - ^kernel - floppy: error -5 while reading block 0 - Noise - - - - 1002 - ^systemd - Failed to reset devices.list on /system.slice - Noise - - - - 1002 - ^drupal - check the manual that corresponds to your MySQL server version for the right syntax to use near - Buggy code - - - - 1002 - ^drupal|cricknet - Connection refused in SearchApiSolrConnection - Ignore harmless solr error - - - - 1002 - monitor3.codeenigma.net - ^ntop - rrd_update - Ignore nTop messages - - - - 1002 - Illegal string offset - Noisy PHP bug - - - - 1002,1003 - wt-stage2.codeenigma.net - ^drupal - 401 Unauthorized - Noisy stage sites - - - - 1002 - monitor3.codeenigma.net - ^ovpn-openvpn - AUTH_FAILED|TLS Auth Error|PLUGIN_AUTH_USER_PASS_VERIFY failed|SSL3_GET_CLIENT_CERTIFICATE - Failed attempt to login to OpenVPN - - - - 1002 - ^drupal - Error sending e-mail - failed email send - - - - 1002 - jenkins2.codeenigma.net - ^openvpn - fail - Ignore failing VPN - - - - 1002 - monitor3.codeenigma.net - ^ovpn-openvpn - bad packet ID - Flaky OpenVPN clients - - - - 1002 - ^drupal - The file upload failed - Buggy client code or some other app issue - - - - 1003 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - mapping-ISOLatin1Accent.txt - Solr noise - - - - 1002 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - Internal Server Error: Internal Server Error in apachesolr_cron - Solr noise - - - - 1002 - Feed processing failed - App noise - - - - - 1002 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - The configuration file {/var/www/piwik/config/config.ini.php} has not been found or could not be read - Piwik not installed - - - - 1002 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - An unexpected website was found in the request - Piwik fail - - - - 1003 - ^drupal - Reacting on event - Large syslog messages on aps - - - - 1002 - nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net - Connection refused - Solr error - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net|wt-stage2.codeenigma.net - ^drupal - Invalid view mode - Bad code - - - - 1002 - ^freshclam - Can't find or parse configuration file /etc/clamav/clamd.conf - Jessie upgrade - - - - 1003 - nycc-dev2.codeenigma.net|nycc-app3.codeenigma.net - unknown field - Noisy syslog message - - - - 1002 - nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net - Name or service not known - Noisy syslog message - - - - 1002 - nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net - A fast 404 test - Noisy syslog message - - - - 1002 - /usr/bin/filebeat - SSL client failed to connect - Ignore noisy disconnections - - - - 31421 - wt-stage2.codeenigma.net - planer_three_region.inc - Ignore noisy bug on WT stage - - - - 1002 - freshclam - Can't download - Ignore clamav outage - - - - 1002 - freshclam - Connection refused - Ignore clamav outage - - - - 1002 - drupal - redactive-app3.codeenigma.net - Undefined offset - Ignore buggy code - - - - 1002 - monitor3.codeenigma.net|monitor2.codeenigma.com - ^nagios3 - API returned error - Buggy Pingdom or Statuscake - - - - 1002 - wt-stage2.codeenigma.net|wt-app3.codeenigma.net|wt-app4.codeenigma.net - ^drupal - Can't contact LDAP server - Ignore LDAP alerts in Drupal - - - - 1002,1003 - Illegal offset type - Buggy code - - - - 1003 - airmic-app2.codeenigma.net - cron running apachesolr_nodeapi_mass_delete - Harmless message - - - - 1002,1003 - Data too long for column - Noisy MySQL exception - - - - 1002,1003 - wt-stage2.codeenigma.net - swf.swf - More awful coding by apparent professionals - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - TotalRequests Limit exceeded - salesforce issue - - - - 3330 - ^postfix - 451 Internal resource temporarily unavailable - greylisting - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - is not of the type Positive - civicrm issue - - - - 1002 - ^drupal - bytes in _dmemcache_get_pieces() - Bug in memcache module in distributed setups - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - failed to load destination URL - ads issue - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - ^drupal - error404 - false positive - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - chain - false positive - - - - 1003 - ^drupal - nycc-app3.codeenigma.net|nycc-dev2.codeenigma.net - .asp - Bot noise - - - - 1002 - ^varnishd - VCL_MET_BACKEND_ERROR - Normal Varnish reload - - - - 1002 - ^varnishd - backend_error - Normal Varnish reload - - - - 1002 - ^varnishd - synth+error - Normal Varnish reload - - - - 1002 - ^varnishd - Return error code 405 - Normal Varnish reload - - - - 1002 - ^varnishd - h1 - Normal Varnish reload - - - - 1002 - ^varnishd - invisibly - Normal Varnish reload - - - - 1002,1003 - ^drupal - Missing bundle property on entity of type - Buggy site - - - - drupal - php module enabled - PHP module has been enabled on this Drupal site - - - - 1002,1003 - ^drupal - Data truncated for column - Buggy site - - - - 1003 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - EntityStructureWrapper - Buggy site - - - - 1003 - swift-app1.codeenigma.net - ^drupal - doubleclick - False positive - - - - 1002 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - from no-reply@stem.org.uk|Failed sending email - Bad mail attempts - - - - 1002 - govwales-app3.codeenigma.net|govwales-app4.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Request failed: Connection refused - Bad solr - - - - 1002,1003 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - field_organisation_target_id - Buggy site - - - - 1003 - swift-app1.codeenigma.net - ^drupal - flashtalking - Big referer - - - - 1002 - ^drupal|wcc - as the parent data structure is not set - Buggy site - - - - 1002 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - ^snmpd - get_errorcounters - SNMP message - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Recieved - Varnish noise - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Authentication to server failed - Varnish noise - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Socket error - Varnish noise - - - - 40111 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^varnishd - CLI Authentication failure from telnet - Varnish noise - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Request failed - Varnish noise - - - - 1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - CLI telnet - Varnish noise - - - - 1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Expiration was executed - Varnish noise - - - - 1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - Rd ban req.http.host - Varnish noise - - - - 1002 - ^drupal - Unable to render media - Buggy site - - - - 31412,31421,1002 - airmic-app2.codeenigma.net - adserve.inc on line 274 - Buggy site - - - - 1003 - ^varnishd - CLI telnet 127.0.0.1 - Varnish noise - - - - 1002 - redactive-app3.codeenigma.com - ^drupal - Unexpected error the MTL API - 3rd party service down - - - - 1002 - puppet3.codeenigma.net - failedbackupscheck - Harmless script name - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - 500-unexpected-error-occured - Noisy 404s - - - - 1002 - ^dockerd - be forced - Noisy docker cleanup - - - - 1002 - monitor3.codeenigma.net|monitor2.codeenigma.com - ^nagios3 - A TLS packet with unexpected length was received - Flaky network - - - - 1002 - monitor3.codeenigma.net|monitor2.codeenigma.com - ^nagios3 - Empty reply from server - Flaky network - - - - 1002 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - failed to open file handle - Buggy code - - - - 1003 - swift-app1.codeenigma.net - ^drupal-exacom - exa_rules - Noisy code - - - - 1002,1003 - swift-app1.codeenigma.net - ^drupal - Attempting to re-run cron while it is already running - cron collision - - - - 1002 - ^sshd - no matching cipher found - crawler - - - - 1002 - monitor3.codeenigma.net|monitor2.codeenigma.com - ^nagios3 - Was both Username and API Key provided - crawler - - - - 1002 - airmic-app2.codeenigma.net - ^drupal - PEAR_ErrorStack::singleton - deprecated code - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ^drupal - rbipdebug - debug code - - - - 1002 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - __clone method called on non-object in - buggy code - - - - 1002,1003 - wt-stage2.codeenigma.net - ^drupal - SearchApiException while - buggy code - - - - 1002,1003 - airmic-app2.codeenigma.net - ^simplesamlphp - Use of undefined constant AIRMIC_SIMPLESAMLPHP_SAML20_IDP_REMOTE - buggy code - - - - 1002,1003 - airmic-app2.codeenigma.net|hlt-app1.codeenigma.net|rcpch-dev2.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - ^simplesamlphp|SimpleSAMLphp - Error|Headers|errors - buggy code - - - - 1002 - The following module is missing from the file system - Noisy code - - - - 1002,1003 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - METADATANOTFOUND - buggy code - - - - 1003 - no_email_alert - Silence the 1003 alerts - - - - 1002 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - Broken pipe in _clamav_scan_via_daemon - Not a security issue - - - - 1002 - ^drupal|wcc - SMTP error: Could not authenticate - Not a security issue - - - - 1002 - swift-app1.codeenigma.net - ^drupal|wcc - Lost connection to MySQL server during query - MySQL crash or slow queries need optimising - - - - 1002 - wt-stage2.codeenigma.net - ^drupal - Revert - False positive - - - - 31421 - ^php - Call to undefined function apc_clear_cache - False positive - - - - 1002 - Failed opening - Buggy code - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - occurred when trying to fetch - stage_file_proxy error - - - - 1002 - ^dnsmasq - monitor3.codeenigma.net - Operation not permitted - caused by someone in the VPN - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - Error fetching data from - 3rd party service - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - Unknown error - Noise - - - - 1002 - airmic-app2.codeenigma.net - link.vars.php - Noise - - - - 1002 - ^drupal - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - Connection refused - Noise - - - - 1002 - airmic-app2.codeenigma.net - Duplicate entry - Noise - - - - 1002 - ^drupal - redactive-dev2.codeenigma.net - Connection refused - Noise - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - Do_not_worry_about_it - Noise - - - - 1002 - ^rrdcached - monitor3.codeenigma.net - found extra data on update argument - Bug in rrdcached - - - - 1002 - ^rrdcached - monitor3.codeenigma.net - failed with status - Bug in rrdcached - - - - 1002 - nycc-app3.codeenigma.net - libssh2.so - php bug - - - - 1002 - ^drupal - myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net - API call to - Ignore Stem API errors - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net - User account creation error - Ignore Stem API errors - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net - Wrong return data for - Ignore Stem API errors - - - - 1002,1003 - ^drupal - myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net - Base table or view not found - Ignore Stem errors - - - - 1002,1003 - ^drupal - myscience-dev3.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app6.codeenigma.net - Error creating/updating Achiever contact - Ignore Stem errors - - - - 1002 - hlt-app1.codeenigma.net - Validation with key - Ignore SimpleSAML errors - - - - 1002 - airmic-app2.codeenigma.net - Cannot redeclare class - PHP site bug - - - - 1002 - redactive-app3.codeenigma.net - Error opening socket - false positives - - - - 1002 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - Login denied from - noisy alert - - - - drupal - Potentially unsafe keys - Potentially unsafe keys found in request parameters - - - - 1002 - AcquiaSearchService - Noisy solr bug - - - - 1002 - govwales-ldn-dev2.codeenigma.net - doc.rtl - Noisy site bug - - - - 1002 - ^drupal - Unknown error - Drupal noise - - - - 1002 - ^CRON - Cron error - Epiqo cronjob noise - - - - 1002 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net|govwales-ldn-app6.codeenigma.net - The resource owner or authorization server denied the request - Noisy - - - - 1002 - SimpleSAML_Error|NOSTATE|UNHANDLEDEXCEPTION - Noise - - - - 1002 - ^drupal - HTTPRedirect - Noise - - - - 1002,1003 - Headers already sent - buggy code - - - - 1002 - access-denied|ShowErrors|failedattempt|User_error|AH00036|AH02032|display_errors|valid-user|RequireAny|FailedURI|user_refused|i2cerrors|aspxerrorpath|No such file or directory|trial-and-error|AH01991|AH00687|Failure.ppt|advagg|fatal-fire|failure.jpg|on_error|judging-our-errors|20fail|locationError|permissiondenied|AH01996|SSL23_GET_CLIENT_HELLO|supermarket-refused|moodle_exception|ERROR_CONTACT_SUPPRESSED|failed=1|_refused|errors-|error-404|error_|-error|98failure|error.png|fatale|_error - normal 403s - - - - 1002,1003 - fci-dev2.codeenigma.net - ^cricknet - Unable to get a data value - buggy code - - - - 1002 - ^ovpn - TLS key negotiation failed|TLS handshake failed - port-scanning VPN servers is noisy - - - - 1002 - ^drupal - wt-app3.codeenigma.net|wt-app4.codeenigma.net - Failed to push json to s3 - Site bug - - - - 1002 - ^drupal - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app4.codeenigma.net - Call to a member function getCompanyNo - Noisy site bug - - - - 1002 - ^cron-nsfailover - Operation not permitted - Noisy stretch alert - - - - 1002 - ^agent - jmxfetch - Noisy alert - - - - 1002 - ^drupal - Queue size - Noisy Drupal alert - - - - 1002 - ^puppet-agent - Composer - Noisy Puppet alert - - - - 1002 - ^dockerd - cgroup path for memory not found - Noisy Docker alert - - - - 1002 - ^puppet-agent - ffaker - Noisy alert - - - - 1002 - myscience-dev3.codeenigma.net|myscience-dev4.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app5.codeenigma.net|myscience-app6.codeenigma.net - Argument 1 passed to - Noisy alert - - - - 1002 - ^drupal - Could not connect to Mailchimp - Noisy alert - - - - 5501,5502 - git2.codeenigma.net|jenkins2.codeenigma.net|iaea-utilities2.codeenigma.net|govwales-utility2.codeenigma.net|nycc-utility2.codeenigma.net|myscience-utility1.codeenigma.net|airmic-utility2.codeenigma.net - ^sshd - for user git - Noisy alert - - - - 5715 - git2.codeenigma.net|jenkins2.codeenigma.net|iaea-utilities2.codeenigma.net|govwales-utility2.codeenigma.net|nycc-utility2.codeenigma.net|myscience-utility1.codeenigma.net|airmic-utility2.codeenigma.net - ^sshd - Accepted publickey for git - Noisy alert - - - - 1002,1003 - govwales-ldn-dev2.codeenigma.net|govwales-ldn-app3.codeenigma.net|govwales-ldn-app4.codeenigma.net - ShieldMiddleware - Noisy alert - - - - 1002 - myscience-dev3.codeenigma.net|myscience-dev4.codeenigma.net|myscience-dev5.codeenigma.net|myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-app5.codeenigma.net|myscience-app6.codeenigma.net - Problem processing JSON - Noisy alert - - - - 1002 - ^awslogs - is not running - Noisy alert - - - - 1002 - ^amazon-ssm-agent - AccessDeniedException|Failed|error - Noisy alert - - - - - - - - - - drupal - Drupal - Drupal syslog message - - - - 104110,1002 - Login attempt failed - Drupal failed login! - - - - 104120 - - Login attempt failed for admin. - Drupal failed attempt to log in as admin! - - - - 104120 - Possible Drupal brute force attack - (high number of logins). - - - - - 104110 - Illegal choice - Drupal possible input injection (XSS/XSRF) attack! - - - - 104110,1002 - Access denied - Drupal access denied error (permissions rejected). - - - - 104150 - admin/ - Drupal access denied to admin screen. - - - - - - - - - - 31122 - GET /sites/default/files/styles - Unable to generate derived image in Drupal - ignored - - - - 1002 - markets-and-market-failure - False positive due to name of URL - - - - 31151 - iepngfix.htc - Missing image on thorogood site - - - - 31151,31115 - flashtalking/ftlocal.html - Broken ads on revisionworld.co.uk - - - - 31122 - POST /node/add/study_calendar - Broken app on revisionworld.co.uk - - - - 31151 - Preloader10.swf - Broken app on revisionworld.co.uk - - - - 31151,31115 - DARTIframe - Broken app on revisionworld.co.uk - - - - 31151 - wmode=transparent - Broken app on revisionworld.co.uk - - - - 1003 - GET /production/catalog - Puppet check-ins create a large syslog message, ignore it - - - - 1003 - GET /stage/catalog - Puppet check-ins create a large syslog message, ignore it - - - - 1003 - GET /dev/catalog - Puppet check-ins create a large syslog message, ignore it - - - - 31122 - 500 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) - Googlebot 500 errors (on GCL site) - - - - 1002 - LookupIdVisitor - EC Asia errors seen in nginx log - - - - 1003 - GET /issues/context_menu - Large redmine apache access logs - - - - 1003 - GET /projects/gcl - Large redmine apache access logs - - - - 31151 - FlipboardProxy - FlipboardProxy logs 499 error code particularly on GCL - - - - 31153 - trusted-sources - googlebot going bananas on paginated parts of the variantperception site - - - - 31151 - atlas_js_shared.js - Missing javascript file triggering 404 active response - - - - 31122 - GET /en/sites/default/files/styles - imagecache from bots on codeenigma site - - - - 31122 - GET /fr/sites/default/files/styles - imagecache from bots on codeenigma site - - - - 31122 - "POST /user/register HTTP/1.1" 500 5 "http://www.gambling - bots on GCL site - - - - 31152 - enigma3.codeenigma.net - web-accesslog - photos-for-sale - Strange Thorogood URLs interpreted as SQL injection attacks - - - - 31123 - /var/log/nginx/access-support.prod.log - web-accesslog - "GET / HTTP/1.1" 503 - Googlebot hitting a site that is offline - - - - 31123 - /var/log/nginx/access-the-planner.prod.log - web-accesslog - HTTP/1.1" 503 - Site is in maintenance mode - - - - 31122 - /var/log/nginx/access-spring.log - web-accesslog - 500 - Internal server error on this site - - - - 31151 - web-accesslog - GET /sites/default/files/styles - Common location for 403 or 401 codes on Drupal imagecache - - - - 31122 - web-accesslog - ++++++++++++++++++++++++++++Result - Spambots - - - - 31151 - web-accesslog - /var/log/nginx/access-sm.prod.log - feed - RSS crawling bot - no_email_alert - - - - - - 31151 - web-accesslog - /var/log/nginx/access-sm.prod.log - getresource.axd - Broken ad 404ing probably trips OSSEC and user access - - - - 31151 - web-accesslog - /var/log/nginx/access-airmic.prod.log - CRM_Contact_Page - Client doing something with ajax in civicrm that throws spurious 499 codes - - - - 31151 - web-accesslog - /var/log/nginx/access-airmic.prod.log - boost-gzip-cookie-test.html - Client doing something with ajax in civicrm that throws spurious 499 codes - - - - 31151 - /var/log/apache2/access-tcs-intranet.log - itok - Requesting various assets seems to result in a 403 at least temporarily, trips OSSEC and likely blocks users - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - admanmedia - Residual 404s on WT due to re-used IP on loadbalancer from a previous customer - - - - 31151 - /var/log/nginx/access-bigpicture.prod.log - eot - 404s on Big Picture site - - - - 31151 - /var/log/nginx/access-bigpicture.prod.log - fast_facts/json/all - 403s on Big Picture site - - - - 31101 - Microsoft Office Protocol Discovery - Probably an OPTIONS request from Microsoft Office Protocol Discovery user-agent - - - - 31151 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - admanmedia - Residual 404s on WT due to re-used IP on loadbalancer from a previous customer - - - - 31153 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - admanmedia - Residual 404s on WT due to re-used IP on loadbalancer from a previous customer - - - - 31122 - /var/log/nginx/access-sm.prod.log - HTTP/1.1" 500 - 500s on Supply Management site - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - message-24-error.png - harmless jpeg - - - - 31151 - /var/log/nginx/access.org.log|/var/log/nginx/access-actionaid.org.log - aaidonazione/confirmDonation.do?codeTransaction - 404s every 30 min or so on ActionAid from Italy to some donation page - - - - 31151 - OPTIONS /system - Microsoft silliness - - - - 31151,31122 - PROPFIND /system - Microsoft silliness - - - - 31151 - chsoc-app2.codeenigma.net - /user/login/sso - SSO component on CHSOC sites - - - - 31151 - chsoc-app2.codeenigma.net - OPTIONS - Misbehaving browsers on chsoc - - - - 1002 - Method has been changed to GET - Ignore broken links in linkchecker module reporting to watchdog - - - - 31101 - web-accesslog - /bin/bash - Shellshock attempt - - - - 31101 - redactive-app3.codeenigma.net - web-accesslog - bkg-header.png - 404s - - - - 31101 - /var/log/nginx/access-ecg.log - web-accesslog - medmastery.com - 403s - - - - 31101 - /var/log/nginx/access-ecg.log - web-accesslog - course - 403s - - - - 1003 - gclid - Ignore large weblog with big Referer (google ad?) - - - - 31101 - redactive-app3.codeenigma.net - web-accesslog - GET /news-feed.rss - ignore 404 - - - - 31101 - redactive-app3.codeenigma.net - web-accesslog - GET /newsrss.rss - ignore 404 - - - - 31530,31108 - ] "POST \S+.php\.+HTTP/1.\." 200 - POST request to a file ending in .php extension - - - - 31530,31108 - ] "POST \S+.html - POST request to a file ending in .html extension - no_email_alert - - - - 31122 - redactive-app3.codeenigma.net - \\x - 500 errors with strange characters in the URLs, seems to recur on occasion - - - - 101100,1002 - jstats|kibana|geocoding - Stats - - - - 101100 - statistics.php - Stats - - - - 101100 - wp-admin - Normal Wordpress activity - - - - 31101 - redactive-app3.codeenigma.net - web-accesslog - 85.232.51.149 - GET /opinion/header - 404s - - - - 31122,1002 - /var/log/nginx/access-mapmeo.log|/var/log/nginx/access-www.meinestelle.de.log|/var/log/nginx/access-empla.log|/var/log/nginx/access-unicum.log - hybridauth - Broken Epiqo app - - - - 1002,1003,31123 - terror|bad|attack|error.asp|errordetail1|Error.aspx|error.svg|planning-error|failures|error500|failed_uli|channelling-failure|Error%20|-failure|-failed|-illegal|search-error|failure- - The word terror is not considered a hacking attack - - - - 101100 - redactive-app3.codeenigma.net|redactive-dev2.codeenigma.net - emit.php - Stats - - - - 31101 - redactive-dev2.codeenigma.net|redactive-app3.codeenigma.net - web-accesslog - feed - ignore 404 - - - - 30101 - /var/log/apache2/error.log - server reached MaxClients setting, consider raising the MaxClients setting - MaxClients threshold reached - - - - 31122 - /var/log/nginx/access-revisionworld.log - Buggy revisionworld - - - - /var/log/nginx/access-scambs-drupal.prod.log - POST /user - no_email_alert - Ignore user post - - - - 101131 - Possible Drupal brute force attack - (high number of requests to /user). - no_email_alert - - - - 1002 - /var/log/nginx/access-actionaid.org.log - abad|ebad - Ignore URL - - - - 101100 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - machform - Machform is OK to POST to - - - - 31122 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - piwik.php - Piwik broken or not installed - - - - 1003 - search.yahoo.com - Big referer - - - - 101055 - OPTIONS - OPTIONS request from Microsoft Office Protocol Discovery user-agent - - - - 101100 - airmic-app2.codeenigma.net|enigma3.codeenigma.net - xmlrpc - POST to apparently OK script - - - - 1003 - jsredir - Noisy Yandex - - - - 1002 - /misc/message-24-error.png - false positive word - - - - 31533 - POST /batch? - Normal to see high rate of POSTs to batch pages in Drupal - - - - 31122 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - mwt_republish/nojs - Buggy code - - - - 31151 - /var/log/nginx/access-corporate.prod.log - Ignore 404s on newly launched site for now - - - - 101100 - jdi-dev1.codeenigma.net|jdi-app2.codeenigma.net|jdi-app3.codeenigma.net|jdi-app4.codeenigma.net - limesurvey - Normal POST request - - - - 1002 - /var/log/apache2/error-iaea.master.log - from remote server - Bugs with IAEA remote legacy app - - - - 1003 - /var/log/nginx/access-unitedway.log - job_geo_location - Large nginx log messages - - - - 31161 - swift-app1.codeenigma.net - sites/revisionworld.com/files - Deliberate 501 code on revisionworld.com - - - - 1002 - wt-app3.codeenigma.net|wt-app4.codeenigma.net - mwt-republish-img - Noisy referer - - - - 31533 - /var/log/nginx/access-stem.prod.log - js/shs/json - Normal high rate of POSTs to Stem site - - - - 31122 - /var/log/nginx/access-stem.prod.log - system/ajax - Buggy site - - - - 101100 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - ^drupal - idp - Big IDP request - - - - 1002,1003 - redactive-dev2.codeenigma.net - ^drupal - 401 Unauthorized - Noisy stage sites - - - - 31151,31101 - /var/log/nginx/access-smartsolutions.prod.log - Ignore 40X in logs on nycc-app1 smartsolution site, there are too many 401s/404s due to site rebuild - - - - 101100 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - drupalauth - SAML auth - - - - 31151,31152,31153,31154 - OpenVAS - 127.0.0.1 - no_email_alert - Too noisy - - - - 1003 - myscience-app3.codeenigma.net|myscience-app4.codeenigma.net|myscience-dev3.codeenigma.net|myscience-app6.codeenigma.net - SSOService.php - SAML auth - - - - 1002 - /var/log/nginx/access-govwalesd7.master.log - care-and-support-business-failure-wales-regulations-2015-and-care-and-support - False positive - - - - 1002 - /var/log/nginx/access-sono.log - abdominal - False positive - - - - 31533 - /var/log/nginx/access-bookworks.log - publishing - Frequent high rate of POSTs - - - - 31122 - /var/log/nginx/access-hosting-dashboard.prod.log - StatusCake - bad deploy - - - - 31123 - /var/log/nginx/access-ai.prod.log|/var/log/apache2/access-cwh.prod.log - web-accesslog - maint mode - - - - 31123 - /var/log/nginx/access-stem.amb_dev.log - web-accesslog - maint mode - - - - 31101,31151 - web-accesslog - /var/log/nginx/access-recruiter.prod.log - rss - RSS crawling bot - no_email_alert - - - - 31101,31151 - web-accesslog - /var/log/nginx/access-recruiter.prod.log - national-news.xml - RSS crawling bot - no_email_alert - - - - 31101,31151 - web-accesslog - /var/log/nginx/access-thorogood.prod.log - leaflet - Buggy - - - - 31122 - web-accesslog - /var/log/apache2/access-festival_micro.prod.log - Buggy - - - - 31101,31151 - web-accesslog - /var/log/nginx/access-wcc.ce-prod.log - panels|planning|guide - Buggy - - - - 31122 - web-accesslog - /var/log/nginx/access-bookworks.log - imagecache - Meh - - - - 31533 - /var/log/nginx/access-rcm.prod.log - POST /cas/login - Normal to see high rate of POSTs to /cas/login pages - - - - 31122 - /var/log/nginx/access-hosting-dashboard.prod.log - favicon.png - Buggy code - - - - 31533 - /var/log/nginx/access-stem.prod.log - POST /plupload-handle-uploads - Normal to see high rate of POSTs to /plupload-handle-uploads pages - - - - 31123 - /var/log/nginx/access-hav-j150709.prod.log|/var/log/nginx/access-pri-j150281.prod.log - web-accesslog - site offline - - - - 1002 - /var/log/nginx/access-the-planner.prod.log - failure|error|refused|denied|illegal - false positive - - - - 1002 - message-16-error.png - false positive in omega theme - - - - 1002,31122 - /var/log/nginx/access-mapmeo.log - jserror - false positive - - - - 31122 - /var/log/apache2/access-cwh.prod.log - major-works - site bug - - - - 101100 - enigma3.codeenigma.net - wp-cron.php - Wordpress - - - - 31151 - Jorgee - no_email_alert - Noisy scanner - - - - 31122,1002 - /var/log/nginx/access-unicum.log - inhalt - False positive - - - - 31122,1002 - /var/log/nginx/access-platform-prod.log - api - Noise I cannot do anything about - - - - 31122,1002 - /var/log/nginx/access-rcm.prod.log - print|news-views-and-analysis|rss - Noise I cannot do anything about - - - - 31122,1002 - /var/log/nginx/access-platform-prod.log - platform - Noise I cannot do anything about - - - - 31151,31101 - /var/log/nginx/access-platform-prod.log - Ignore 40X on STEM platform - - - - 31123 - /var/log/nginx/access-actionaid.org.log|/var/log/nginx/access.org.log - Ignore 503s on AAI (bots being rate-limited) - - - - 31122,1002 - /var/log/nginx/access-ecgstage.log - chargebee - bug on ECG stage site - - - - 1002 - /var/log/nginx/access-govwalesd8.master.log - common-errors - false positive - - - - 1002 - /var/log/nginx/access-cambridge.gov.uk.prod.log - BuildFailureDetector - False positive - - - - 31108,31101 - 23value|23default_value|23markup|element_parents=%23 - web-accesslog - RCE attempt maybe - no_email_alert - - - - 31122 - /var/log/apache2/access-rcm.prod.log - rss.xml - Site bug - - - - 31122 - myscience-dev4.codeenigma.net - Site bug - - - - 31122 - /var/log/nginx/access-jpoesen.com.log - web-accesslog - comment/reply - Internal server error on this site - - - - 31122 - /var/log/apache2/access-iaea.master.log|/var/log/apache2/access-iaea.drupal-direct.log - Buggy site - - - - 1002 - client denied by server configuration - 403d response - no_email_alert - - - - 1002 - 2fa.codeenigma.net - wsgi:error - Bugs in LinOTP - - - - 31530 - /var/log/nginx/access-corporate.prod.log - general-enquiry - Possible spamming of WT corporate contact form - - - - - 1002 - access-denied|ShowErrors|failedattempt|User_error|AH00036|AH02032|display_errors|valid-user|RequireAny|FailedURI|user_refused|i2cerrors|aspxerrorpath|No such file or directory|trial-and-error|AH01991|AH00687|AH01276|Failure.ppt|advagg|fatal-fire|failure.jpg|on_error|judging-our-errors|20fail|locationError|permissiondenied|AH01996|SSL23_GET_CLIENT_HELLO|supermarket-refused|moodle_exception|ERROR_CONTACT_SUPPRESSED|failed=1|_refused|errors-|error-404|error_|-error|98failure|error.png|fatale|_error - normal 403s - - - - /var/log/apache2/access-cwh.prod.log - Ignore 404s on cwh for now to avoid blocking users being proxied from HAproxy - - - - /var/log/apache2/access-wcc.ce-prod.log - 31101,31151,1002 - fa-solid-900 - Ignore missing font files on new WCC site - - - - 101100 - /var/log/nginx/access-wcc.ce-prod.log|/var/log/nginx/access-johnthorogood.prod.log - wp-login.php - False positive - - - - 31101,31151,1002 - /var/log/nginx/access-tephinet.master.log|/var/log/nginx/access-tephinet.staging.log - GET /sites/tephinet/files/styles - Ignore missing style files on Mantaray Tephinet site - - - - 31151,31101 - wt-stage2.codeenigma.net - Ignore 40X in logs on wt-stage2, there are too many 401s/404s due to misbehaving apps - - - - - - - - - 31120 - ^502 - Web server 502 error code (Bad gateway). - - - - 31124 - /var/log/nginx/access-actelion.log - web-accesslog - Ignore 502s that we can't be responsible for (legacy sites) - - - - 31123 - /var/log/nginx/access-nycc.prod.log - Strange 503s - - - - - - - 521 - scantem - Whitelist alerts containing 'scantem' in the title. - no_full_log - - - + + + + + + + 5716 + 1.1.1.1 + sshd: authentication failed from IP 1.1.1.1. + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, + + + + + + 521 + scantem + Whitelist alerts containing 'scantem' in the title. + no_full_log + + + + From c4aeab06b708f07b7b88a05f577970a949a2dbf0 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:42:00 +0100 Subject: [PATCH 250/331] Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables --- roles/debian/wazuh/defaults/main.yml | 4 ++++ roles/debian/wazuh/tasks/main.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index e58c2d045..931593f64 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -86,6 +86,8 @@ wazuh: wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 wazuh_manager_config: + decoder_dir: "ruleset/decoders" + rule_dir: "ruleset/rules" active_responses: - command: "firewall-drop" location: "all" @@ -97,6 +99,8 @@ wazuh: rules_id: "100205" repeated_offenders: "30,60,120" timeout: 3600 + authd: + enabled: false wazuh_manager_globals: - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index eac0a4a45..0d950c9cb 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -60,6 +60,7 @@ wazuh_manager_globals: "{{ wazuh.manager.wazuh_manager_globals }}" wazuh_manager_config: active_responses: "{{ wazuh.manager.wazuh_manager_config.active_responses }}" + authd: "{{ wazuh.manager.wazuh_manager_config.authd }}" wazuh_manager_email_level: "{{ wazuh.manager.wazuh_manager_email_level }}" wazuh_manager_extra_emails: "{{ wazuh.manager.wazuh_manager_extra_emails }}" wazuh_manager_reports: "{{ wazuh.manager.wazuh_manager_reports }}" From c35b2a62ac7b7437bd490b4b9b0b376c5f7989b2 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:28:31 +0000 Subject: [PATCH 251/331] r70260-rkhunter-tested-good-tweaks (#2051) --- roles/debian/rkhunter/tasks/main.yml | 14 +++++++++++++- roles/debian/rkhunter/templates/rkhunter.conf.j2 | 7 ++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml index 336dcff92..9825b0606 100644 --- a/roles/debian/rkhunter/tasks/main.yml +++ b/roles/debian/rkhunter/tasks/main.yml @@ -7,6 +7,18 @@ cache_valid_time: 240 notify: Update rkhunter +- name: Check paths for script existence + ansible.builtin.stat: + path: "{{ item }}" + register: _rkhunter_existing_scripts_to_whitelist + loop: "{{ rkhunter.scriptwhitelist }}" + +- name: Filter existing scripts + set_fact: + existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}" + when: item.stat.exists + loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}" + - name: Copy rkhunter configuration. ansible.builtin.template: src: rkhunter.conf.j2 @@ -30,4 +42,4 @@ _overrides: "{{ rkhunter.overrides }}" when: - rkhunter.overrides is defined - - rkhunter.overrides | length > 0 \ No newline at end of file + - rkhunter.overrides | length > 0 diff --git a/roles/debian/rkhunter/templates/rkhunter.conf.j2 b/roles/debian/rkhunter/templates/rkhunter.conf.j2 index 3ab3f73c6..b9e3468a7 100644 --- a/roles/debian/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/debian/rkhunter/templates/rkhunter.conf.j2 @@ -585,9 +585,11 @@ PKGMGR={{ rkhunter.os_package_manager }} # # The default value is the null string. # -{% for item in rkhunter.scriptwhitelist %} +{% if existing_scripts is defined and existing_scripts | length > 0 %} +{% for item in existing_scripts %} SCRIPTWHITELIST={{ item }} {% endfor %} +{% endif %} # # Allow the specified file to have the immutable attribute set. @@ -935,6 +937,9 @@ SUSPSCAN_THRESH={{ rkhunter.supscan_threshold }} # #PORT_WHITELIST="" #PORT_PATH_WHITELIST="" +{% for item in rkhunter.portpathwhitelist %} +PORT_PATH_WHITELIST={{ item }} +{% endfor %} # # The following option can be used to tell rkhunter where the operating system From ad461b82b95c0be7efd7110c451feb67849c7b37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 6 Nov 2024 09:45:36 +0100 Subject: [PATCH 252/331] Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar --- roles/debian/ssl/tasks/letsencrypt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index ae30d4705..f731b1034 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -134,7 +134,7 @@ - name: Build timer variables with dynamic key. ansible.builtin.set_fact: - _certbot_renewal_timer: "{'certbot_renewal_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}':{'timer_command':'/usr/local/bin/le_cron_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}.sh','timer_OnCalendar':'{{ ssl.on_calendar }}'}}" + _certbot_renewal_timer: "{'certbot_renewal':{'timer_command':'/usr/local/bin/le_cron.sh','timer_OnCalendar':'{{ ssl.on_calendar }}'}}" when: ssl.autorenew - name: Create systemd timer for certificate renewal. From 9b814810ba216f73b20763f901eb09f0d6ceba2a Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Thu, 7 Nov 2024 13:29:25 +0000 Subject: [PATCH 253/331] R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items --- roles/debian/rkhunter/tasks/main.yml | 12 ++++++++++++ roles/debian/rkhunter/templates/rkhunter.conf.j2 | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml index 9825b0606..76942cca0 100644 --- a/roles/debian/rkhunter/tasks/main.yml +++ b/roles/debian/rkhunter/tasks/main.yml @@ -19,6 +19,18 @@ when: item.stat.exists loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}" +- name: Check paths for portpath existence + ansible.builtin.stat: + path: "{{ item.split(':')[0] }}" + register: _rkhunter_existing_portpaths_to_whitelist + loop: "{{ rkhunter.portpathwhitelist }}" + +- name: Filter existing portpath + set_fact: + existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}" + when: item.stat.exists + loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}" + - name: Copy rkhunter configuration. ansible.builtin.template: src: rkhunter.conf.j2 diff --git a/roles/debian/rkhunter/templates/rkhunter.conf.j2 b/roles/debian/rkhunter/templates/rkhunter.conf.j2 index b9e3468a7..8c69d3c1f 100644 --- a/roles/debian/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/debian/rkhunter/templates/rkhunter.conf.j2 @@ -937,9 +937,11 @@ SUSPSCAN_THRESH={{ rkhunter.supscan_threshold }} # #PORT_WHITELIST="" #PORT_PATH_WHITELIST="" -{% for item in rkhunter.portpathwhitelist %} +{% if existing_portpaths is defined and existing_portpaths | length > 0 %} +{% for item in existing_portpaths %} PORT_PATH_WHITELIST={{ item }} {% endfor %} +{% endif %} # # The following option can be used to tell rkhunter where the operating system From b39f21a63e1c970d8bb0520fe392d6dcc39e6873 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:33:23 +0100 Subject: [PATCH 254/331] Updating-system-role-condition (#2056) --- roles/debian/system/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml index 6a8e3488e..f63dc3729 100644 --- a/roles/debian/system/tasks/main.yml +++ b/roles/debian/system/tasks/main.yml @@ -32,7 +32,7 @@ - name: Print if Hetzner Cloud server is detected. debug: msg: "This is a Hetzner Cloud server" - when: hetznercloudcheck.rc == 0 + when: hetznercloudcheck is defined and hetznercloudcheck.rc == 0 - name: Install dhcpcd. ansible.builtin.apt: From 28128ea9c9d0a8531491467d00dfc5116881f168 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 7 Nov 2024 17:06:45 +0100 Subject: [PATCH 255/331] Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 --- roles/debian/system/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml index f63dc3729..0905bc805 100644 --- a/roles/debian/system/tasks/main.yml +++ b/roles/debian/system/tasks/main.yml @@ -32,7 +32,8 @@ - name: Print if Hetzner Cloud server is detected. debug: msg: "This is a Hetzner Cloud server" - when: hetznercloudcheck is defined and hetznercloudcheck.rc == 0 + when: hetznercloudcheck.rc == 0 + ignore_errors: true - name: Install dhcpcd. ansible.builtin.apt: From 237cec3e1338e35a3e11c372a6a49bd13145020a Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Fri, 8 Nov 2024 09:38:35 +0000 Subject: [PATCH 256/331] r71121-tweak-nohetznerdhcp-condition (#2061) --- roles/debian/system/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/debian/system/tasks/main.yml b/roles/debian/system/tasks/main.yml index 0905bc805..a21dd24e4 100644 --- a/roles/debian/system/tasks/main.yml +++ b/roles/debian/system/tasks/main.yml @@ -32,8 +32,9 @@ - name: Print if Hetzner Cloud server is detected. debug: msg: "This is a Hetzner Cloud server" - when: hetznercloudcheck.rc == 0 - ignore_errors: true + when: + - system.nohetznerdhcp + - hetznercloudcheck.rc == 0 - name: Install dhcpcd. ansible.builtin.apt: From 92df478686422842b9c6ffb388dae9c93c756367 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:04:38 +0100 Subject: [PATCH 257/331] Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar --- roles/aws/aws_acl/tasks/bot_control.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index 4e8044175..38f713387 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -71,7 +71,7 @@ inspection_level: "COMMON" - name: Define targeted actions rules - when: _acl.rules.botControl.target == "TARGETED" + when: _acl.rules.bot_control.target == "TARGETED" block: - name: Define targeted actions ansible.builtin.set_fact: From 6fe38000bc6f11d67c403ae629aca908411e52c7 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:23:32 +0200 Subject: [PATCH 258/331] R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 From 05baa414064e9ce654c77dc2f1a17f5c3a867ca2 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Wed, 13 Nov 2024 13:49:01 +0200 Subject: [PATCH 259/331] Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 --- roles/debian/ce_deploy/meta/requirements-11.yml | 1 + roles/debian/ce_deploy/meta/requirements-12.yml | 1 + roles/debian/ce_provision/meta/requirements-11.yml | 1 + roles/debian/ce_provision/meta/requirements-12.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/roles/debian/ce_deploy/meta/requirements-11.yml b/roles/debian/ce_deploy/meta/requirements-11.yml index af33d8492..a15dd2943 100644 --- a/roles/debian/ce_deploy/meta/requirements-11.yml +++ b/roles/debian/ce_deploy/meta/requirements-11.yml @@ -6,3 +6,4 @@ collections: - name: community.aws - name: ansible.posix - name: amazon.aws + version: "8.0.1" # ELB plugin broken since June diff --git a/roles/debian/ce_deploy/meta/requirements-12.yml b/roles/debian/ce_deploy/meta/requirements-12.yml index af33d8492..a15dd2943 100644 --- a/roles/debian/ce_deploy/meta/requirements-12.yml +++ b/roles/debian/ce_deploy/meta/requirements-12.yml @@ -6,3 +6,4 @@ collections: - name: community.aws - name: ansible.posix - name: amazon.aws + version: "8.0.1" # ELB plugin broken since June diff --git a/roles/debian/ce_provision/meta/requirements-11.yml b/roles/debian/ce_provision/meta/requirements-11.yml index 1e968332c..fabdb2ff2 100644 --- a/roles/debian/ce_provision/meta/requirements-11.yml +++ b/roles/debian/ce_provision/meta/requirements-11.yml @@ -8,6 +8,7 @@ collections: - name: community.general - name: community.postgresql - name: amazon.aws + version: "8.0.1" # ELB plugin broken since June roles: - name: geerlingguy.varnish diff --git a/roles/debian/ce_provision/meta/requirements-12.yml b/roles/debian/ce_provision/meta/requirements-12.yml index 1e968332c..fabdb2ff2 100644 --- a/roles/debian/ce_provision/meta/requirements-12.yml +++ b/roles/debian/ce_provision/meta/requirements-12.yml @@ -8,6 +8,7 @@ collections: - name: community.general - name: community.postgresql - name: amazon.aws + version: "8.0.1" # ELB plugin broken since June roles: - name: geerlingguy.varnish From a1bfc21598513acfc35edad3a0ab851e194990e7 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Tue, 19 Nov 2024 12:18:54 +0200 Subject: [PATCH 260/331] r71171-efs-client-upgrade (#2079) --- roles/debian/aws_efs_client/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/aws_efs_client/defaults/main.yml b/roles/debian/aws_efs_client/defaults/main.yml index 7758d8820..9450c4ff7 100644 --- a/roles/debian/aws_efs_client/defaults/main.yml +++ b/roles/debian/aws_efs_client/defaults/main.yml @@ -4,7 +4,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 1.35.0 # version of AWS EFS utils to use + version: 2.1.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html From 57ce7c31abc35afab631516d5d3cbe7c70b5670c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 21 Nov 2024 10:35:19 +0100 Subject: [PATCH 261/331] Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar --- roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index fdc8384c6..ed3474566 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -305,9 +305,9 @@ - aws_ec2_autoscale_cluster.type == "ec2" - aws_ec2_autoscale_cluster.deploy_cluster -- name: Create ami cleanup function - ansible.builtin.include_role: - name: aws/aws_ami_asg_cleanup +#- name: Create ami cleanup function +# ansible.builtin.include_role: +# name: aws/aws_ami_asg_cleanup - name: Gather IAM role info. amazon.aws.iam_role_info: From f757a6750d28d13c9d38b3eeb68de50f05c499bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:20:26 +0100 Subject: [PATCH 262/331] Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/resource.yml | 8 ++++---- .../templates/RDS_restore_testing.j2 | 2 +- roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index a132a3c32..5343fca11 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -65,7 +65,7 @@ aws backup create-backup-selection --backup-plan-id {{ _backup_plan_info.stdout | from_json | json_query('BackupPlanId') }} --backup-selection "{\"SelectionName\":\"{{ backup.selection_name }}\",\"IamRoleArn\":\"{{ _iam_role_arn }}\",\"Resources\":[\"{{ _resource_arn }}\"]}" --region {{ _aws_region }} when: _selection_exists.stdout | length == 0 -#- name: Create restore testing plan. -# ansible.builtin.include_role: -# name: aws/aws_backup_validation -# tasks_from: testing_resources +- name: Create restore testing plan. + ansible.builtin.include_role: + name: aws/aws_backup_validation + tasks_from: testing_resources diff --git a/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 index 96343c090..c87d560e0 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 @@ -8,7 +8,7 @@ "ProtectedResourceType": "{{ _instance_type_restore }}", "RestoreMetadataOverrides": { "vpcSecurityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", - "dbsubnetgroupname": "{{ aws_vpc.name }}" + "dbsubnetgroupname": "{{ _aws_rds_rds_subnet_group.name }}" }, "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", "ValidationWindowHours": 1 diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index ed3474566..fdc8384c6 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -305,9 +305,9 @@ - aws_ec2_autoscale_cluster.type == "ec2" - aws_ec2_autoscale_cluster.deploy_cluster -#- name: Create ami cleanup function -# ansible.builtin.include_role: -# name: aws/aws_ami_asg_cleanup +- name: Create ami cleanup function + ansible.builtin.include_role: + name: aws/aws_ami_asg_cleanup - name: Gather IAM role info. amazon.aws.iam_role_info: From 08bc58b420751738611c09d0f677b1a5d6adac00 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Wed, 27 Nov 2024 15:13:38 +0100 Subject: [PATCH 263/331] fix(debian/duplicity): Fix missing compilation dependencies (#2029) --- roles/debian/duplicity/tasks/main.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index 2cab14487..4a06b5857 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -16,6 +16,13 @@ - pip3 failed_when: false # don't stop the build if there's no system pip +- name: Install compilation dependencies for duplicity. + ansible.builtin.apt: + pkg: + - gettext + - librsync-dev + - python3-dev + # Optionally set Python venv variables. - name: Override Python venv path if provided. ansible.builtin.set_fact: @@ -131,4 +138,4 @@ _overrides: "{{ duplicity.overrides }}" when: - duplicity.overrides is defined - - duplicity.overrides | length > 0 \ No newline at end of file + - duplicity.overrides | length > 0 From 7de64086559861e99e8837fd238329f9b2c02845 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Wed, 27 Nov 2024 15:58:16 +0100 Subject: [PATCH 264/331] fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting --- docs/roles/debian/php-fpm.md | 5 ++++- roles/debian/php-fpm/defaults/main.yml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index 94a687ac4..1c6484680 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -20,7 +20,10 @@ php: pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 - max_children: 5 + # It is important to scale up processes on bigger servers, so that more + # requests can be handled. Double the number of vCPUs is a good default. + # Can be between 5 and 64. + max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index b6fea0c7d..bd11bd594 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -10,7 +10,10 @@ php: pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 - max_children: 5 + # It is important to scale up processes on bigger servers, so that more + # requests can be handled. Double the number of vCPUs is a good default. + # Can be between 5 and 64. + max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From 9666c52d3667c17520be5a4009c556891577406d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 28 Nov 2024 09:25:49 +0100 Subject: [PATCH 265/331] Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar --- docs/roles/aws/aws_acl.md | 73 ++++++++----------- docs/roles/debian/aws_efs_client.md | 2 +- docs/roles/debian/rkhunter.md | 1 + docs/roles/debian/system.md | 7 +- docs/roles/debian/wazuh.md | 4 + roles/aws/aws_acl/README.md | 73 ++++++++----------- .../templates/RDS_restore_testing.j2 | 2 +- roles/debian/aws_efs_client/README.md | 2 +- roles/debian/php-fpm/README.md | 5 +- roles/debian/rkhunter/README.md | 1 + roles/debian/system/README.md | 3 +- roles/debian/wazuh/README.md | 4 + 12 files changed, 88 insertions(+), 89 deletions(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index e51964ec5..18ee0bdaa 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -9,34 +9,24 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa ```yaml --- aws_acl: - - name: example_master_acl - description: "Master ACL for CF" + - name: "{{ _infra_name }}_main_acl" + description: "ACL rules from ce-provision-config" scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" - tags: {} + tags: "{{ _aws_tags }}" rules: rate_limit: - value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - rule_name: "Allowed-ips" - set_name: "Office-IPs" - description: "List of IPs from office" + - rule_name: "Allowed-IPs-rule" + set_name: "Allowed-IPs-set" + description: "List of IPs from our VPNs - Ansible managed" action: allow - priority: 1 # can be float with 1 decimal place - list: [] # If the list is empty, ip set won't be recreated - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - rule_name: "Blocked-IPs" - set_name: "DDOS-list" - description: "List of IPs That were ddosing server" - action: block - priority: 0 - list: [] # If the list is empty, ip set won't be recreated - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + priority: 1 + list: + - 3.11.82.252/32 # main VPN + - 159.100.242.248/32 # backup VPN, bastion2 country_codes: - name: "allowed-countries" action: allow @@ -53,34 +43,35 @@ aws_acl: regular_rules: - name: allow_panels action: allow - statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) priority: 4 statements: - - inspect: "UriPath" # Aslo supported: "SingleHeader" + - inspect: "UriPath" # Use: "SingleHeader" or "UriPath" position: "CONTAINS" string: "panels/ajax" text_trans: "NONE" - - name: block_bots - action: block - statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) - priority: 5 - statements: - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "spider" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "bot" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "crawl" - text_trans: "LOWERCASE" +# Example for multi header block +# - name: block_bots +# action: block +# statements_type: "or" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) +# priority: 5 +# statements: +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "spider" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "bot" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "crawl" +# text_trans: "LOWERCASE" # Managed rules list bot_control: enabled: false - target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + target: "COMMON" # "COMMON" or "TARGETED" inspection level priority: 3 cyber_sec: enabled: false # Need to subscribe first in AWS diff --git a/docs/roles/debian/aws_efs_client.md b/docs/roles/debian/aws_efs_client.md index 856fe71ca..0711f04d9 100644 --- a/docs/roles/debian/aws_efs_client.md +++ b/docs/roles/debian/aws_efs_client.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 1.35.0 # version of AWS EFS utils to use + version: 2.1.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/docs/roles/debian/rkhunter.md b/docs/roles/debian/rkhunter.md index 30cb22852..9dea50dcb 100644 --- a/docs/roles/debian/rkhunter.md +++ b/docs/roles/debian/rkhunter.md @@ -40,6 +40,7 @@ rkhunter: - /etc/.etckeeper allowdevfile: - /dev/shm/network/ifstate + allowipcproc: [] allow_system_remote_logging: "0" supscan_directories: "/tmp /var/tmp" supscan_maxsize: "10240000" diff --git a/docs/roles/debian/system.md b/docs/roles/debian/system.md index 7a7f31327..859989ea9 100644 --- a/docs/roles/debian/system.md +++ b/docs/roles/debian/system.md @@ -1,5 +1,10 @@ # System This role provides a means of applying system variables to servers. +Currently, the following entities can be managed with the role: + +- Force IPv4 (noipv6) +- Force Static IP configuration for Hetzner Cloud systems (nohetznerdhcp) + @@ -9,8 +14,8 @@ This role provides a means of applying system variables to servers. --- system: noipv6: false + nohetznerdhcp: false ``` -~~~ diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index c11fa68fe..9329a403c 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -97,6 +97,8 @@ wazuh: wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 wazuh_manager_config: + decoder_dir: "ruleset/decoders" + rule_dir: "ruleset/rules" active_responses: - command: "firewall-drop" location: "all" @@ -108,6 +110,8 @@ wazuh: rules_id: "100205" repeated_offenders: "30,60,120" timeout: 3600 + authd: + enabled: false wazuh_manager_globals: - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index e51964ec5..18ee0bdaa 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -9,34 +9,24 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa ```yaml --- aws_acl: - - name: example_master_acl - description: "Master ACL for CF" + - name: "{{ _infra_name }}_main_acl" + description: "ACL rules from ce-provision-config" scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" - tags: {} + tags: "{{ _aws_tags }}" rules: rate_limit: - value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place ip_sets: - - rule_name: "Allowed-ips" - set_name: "Office-IPs" - description: "List of IPs from office" + - rule_name: "Allowed-IPs-rule" + set_name: "Allowed-IPs-set" + description: "List of IPs from our VPNs - Ansible managed" action: allow - priority: 1 # can be float with 1 decimal place - list: [] # If the list is empty, ip set won't be recreated - #- 1.1.1.1/32 # list of ip ranges - #- 2.2.2.2/32 - #- 3.3.3.3/32 - - rule_name: "Blocked-IPs" - set_name: "DDOS-list" - description: "List of IPs That were ddosing server" - action: block - priority: 0 - list: [] # If the list is empty, ip set won't be recreated - #- 4.4.4.4/32 # list of ip ranges - #- 5.5.5.5/32 - #- 6.6.6.6/32 + priority: 1 + list: + - 3.11.82.252/32 # main VPN + - 159.100.242.248/32 # backup VPN, bastion2 country_codes: - name: "allowed-countries" action: allow @@ -53,34 +43,35 @@ aws_acl: regular_rules: - name: allow_panels action: allow - statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) priority: 4 statements: - - inspect: "UriPath" # Aslo supported: "SingleHeader" + - inspect: "UriPath" # Use: "SingleHeader" or "UriPath" position: "CONTAINS" string: "panels/ajax" text_trans: "NONE" - - name: block_bots - action: block - statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) - priority: 5 - statements: - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "spider" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "bot" - text_trans: "LOWERCASE" - - inspect: "SingleHeader" # Aslo supported: "SingleHeader" - position: "CONTAINS" - string: "crawl" - text_trans: "LOWERCASE" +# Example for multi header block +# - name: block_bots +# action: block +# statements_type: "or" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) +# priority: 5 +# statements: +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "spider" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "bot" +# text_trans: "LOWERCASE" +# - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath" +# position: "CONTAINS" +# string: "crawl" +# text_trans: "LOWERCASE" # Managed rules list bot_control: enabled: false - target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + target: "COMMON" # "COMMON" or "TARGETED" inspection level priority: 3 cyber_sec: enabled: false # Need to subscribe first in AWS diff --git a/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 index c87d560e0..1cb7e06f7 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_restore_testing.j2 @@ -8,7 +8,7 @@ "ProtectedResourceType": "{{ _instance_type_restore }}", "RestoreMetadataOverrides": { "vpcSecurityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", - "dbsubnetgroupname": "{{ _aws_rds_rds_subnet_group.name }}" + "dbsubnetgroupname": "{{ aws_rds.name }}" }, "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", "ValidationWindowHours": 1 diff --git a/roles/debian/aws_efs_client/README.md b/roles/debian/aws_efs_client/README.md index 856fe71ca..0711f04d9 100644 --- a/roles/debian/aws_efs_client/README.md +++ b/roles/debian/aws_efs_client/README.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 1.35.0 # version of AWS EFS utils to use + version: 2.1.0 # version of AWS EFS utils to use build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index 94a687ac4..1c6484680 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -20,7 +20,10 @@ php: pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 - max_children: 5 + # It is important to scale up processes on bigger servers, so that more + # requests can be handled. Double the number of vCPUs is a good default. + # Can be between 5 and 64. + max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/rkhunter/README.md b/roles/debian/rkhunter/README.md index 30cb22852..9dea50dcb 100644 --- a/roles/debian/rkhunter/README.md +++ b/roles/debian/rkhunter/README.md @@ -40,6 +40,7 @@ rkhunter: - /etc/.etckeeper allowdevfile: - /dev/shm/network/ifstate + allowipcproc: [] allow_system_remote_logging: "0" supscan_directories: "/tmp /var/tmp" supscan_maxsize: "10240000" diff --git a/roles/debian/system/README.md b/roles/debian/system/README.md index b2c326095..859989ea9 100644 --- a/roles/debian/system/README.md +++ b/roles/debian/system/README.md @@ -14,9 +14,8 @@ Currently, the following entities can be managed with the role: --- system: noipv6: false - nohetznerchdp: false + nohetznerdhcp: false ``` - diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index c11fa68fe..9329a403c 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -97,6 +97,8 @@ wazuh: wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 wazuh_manager_config: + decoder_dir: "ruleset/decoders" + rule_dir: "ruleset/rules" active_responses: - command: "firewall-drop" location: "all" @@ -108,6 +110,8 @@ wazuh: rules_id: "100205" repeated_offenders: "30,60,120" timeout: 3600 + authd: + enabled: false wazuh_manager_globals: - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above From 52e90200df216e7576309c83dcfa0a1adef05713 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:10:39 +0100 Subject: [PATCH 266/331] Updating-postfix-default-transport-maps (#2092) --- roles/debian/postfix/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml index fb00787d3..2da66c0c1 100644 --- a/roles/debian/postfix/defaults/main.yml +++ b/roles/debian/postfix/defaults/main.yml @@ -12,7 +12,7 @@ postfix: protocols: all relayhost: "" transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - - "* discard :" + - "* discard" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html use_ses: false From b66c48405f8dc26a90a728b0ef3be614f36f641c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:59:08 +0100 Subject: [PATCH 267/331] Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar --- docs/roles/debian/postfix.md | 2 +- .../aws/aws_backup_validation/tasks/main.yml | 55 +++++++- .../templates/EC2_validation.py.j2 | 30 +--- .../templates/RDS_validation.py.j2 | 30 +--- .../templates/validation_report.j2 | 128 ++++++++++++++++++ roles/debian/postfix/README.md | 2 +- 6 files changed, 185 insertions(+), 62 deletions(-) create mode 100644 roles/aws/aws_backup_validation/templates/validation_report.j2 diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index afd84b496..7f24ebb64 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -23,7 +23,7 @@ postfix: protocols: all relayhost: "" transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - - "* discard :" + - "* discard" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html use_ses: false diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 82bc27744..ecb9f5828 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -43,18 +43,28 @@ - name: Clean and set python functions block: - - name: Check and clean any previous Lambda files + - name: Check and clean any previous backup validation files ansible.builtin.file: path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" state: absent loop: "{{ aws_backup_validation.resources }}" + - name: Check and clean any previous validation report files + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/validation_report.py" + state: absent + - name: Write Lambda functions ansible.builtin.template: src: "{{ item }}_validation.py.j2" dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" loop: "{{ aws_backup_validation.resources }}" + - name: Write validation report functions + ansible.builtin.template: + src: "validation_report.j2" + dest: "{{ _ce_provision_build_dir }}/validation_report.py" + - name: Create a zip archive of Lambda functions community.general.archive: path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" @@ -62,6 +72,12 @@ format: zip loop: "{{ aws_backup_validation.resources }}" + - name: Create a zip archive of validation report + community.general.archive: + path: "{{ _ce_provision_build_dir }}/validation_report.py" + dest: "{{ _ce_provision_build_dir }}/validation_report.zip" + format: zip + - name: Create Lambda functions amazon.aws.lambda: name: "{{ aws_backup_validation.name }}_{{ item }}" @@ -78,11 +94,25 @@ register: _lambda_functions loop: "{{ aws_backup_validation.resources }}" +- name: Create validation report functions + amazon.aws.lambda: + name: "validation_report" + description: "Function that will send report about previous validations" + region: "{{ _aws_region }}" + timeout: 30 + zip_file: "{{ _ce_provision_build_dir }}/validation_report.zip" + state: present + runtime: "{{ aws_backup_validation.runtime }}" + role: "{{ _created_iam_lambda_role.iam_role.arn }}" + handler: "validation_report.{{ aws_backup_validation.handler }}" + register: _validation_report + - name: Remove non UTF-8 item ansible.builtin.set_fact: _lambda_functions: "{{ _lambda_functions | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}" + _validation_report: "{{ _validation_report | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}" -- name: Create EventBridge +- name: Create EventBridge for validations amazon.aws.cloudwatchevent_rule: name: "{{ item.configuration.function_name }}" description: "{{ item.configuration.description }}" @@ -95,6 +125,17 @@ register: _event_bridges loop: "{{ _lambda_functions.results }}" +- name: Create schedule for validation reports + amazon.aws.cloudwatchevent_rule: + name: validation_report + schedule_expression: "cron(0 0 ? * MON *)" + description: Run validation reporting + region: "{{ _aws_region }}" + targets: + - id: validation_report + arn: "{{ (_validation_report.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN + register: _validation_event + - name: Generate unique string ansible.builtin.set_fact: _rand_str: "{{ lookup('community.general.random_string', length=8, special=false, min_lower=2, min_numeric=2, min_upper=2) }}" @@ -109,3 +150,13 @@ source_arn: "{{ item.rule.arn }}" region: "{{ _aws_region }}" loop: "{{ _event_bridges.results }}" + +- name: Update lambda validation report policy + amazon.aws.lambda_policy: + state: present + function_name: "validation_report" + statement_id: "{{ _validation_report.configuration.function_name }}_{{ _rand_str }}" + action: lambda:InvokeFunction + principal: events.amazonaws.com + source_arn: "{{ _validation_event.rule.arn }}" + region: "{{ _aws_region }}" diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 index 1b1ace841..70b0963b7 100644 --- a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 @@ -15,7 +15,6 @@ ses_cli = boto3.client('ses', region_name="{{ _aws_region }}") def lambda_handler(event, context): - mail_title = "" mail_body = "" print("Gathering instance id.") @@ -87,12 +86,10 @@ def lambda_handler(event, context): ) print(c_res['StandardOutputContent']) - mail_title = "Success: " + instance_name instance_message = "Instance " + instance_name + " - " + ec2_instance_id + " was restored.\n" mail_body = mail_body + "SSM is working and these are the details of the instance:\n" + c_res['StandardOutputContent'] else: - mail_title = "Warning: " + instance_name mail_body = mail_body + "SSM is not configured or accessible!\n" print("Validating Restore job!") @@ -110,34 +107,9 @@ def lambda_handler(event, context): ValidationStatusMessage="" ) - mail_title = "Failed!" mail_body = mail_body + "Instance " + ec2_instance_id + " is not running!" - print("Sending email!") - response = ses_cli.send_email( - Destination={ - 'BccAddresses': [ - ], - 'CcAddresses': [], - 'ToAddresses': [ - 'sysadm@codeenigma.com' - ], - }, - Message={ - 'Body': { - 'Text': { - 'Charset': 'UTF-8', - 'Data': mail_body, - }, - }, - 'Subject': { - 'Charset': 'UTF-8', - 'Data': 'Lambda Backup validation: ' + mail_title, - }, - }, - # Need to replace "codeenigma.net" with _verified_domain variable - Source='Lambda Backup Validation ', - ) + print(instance_message + mail_body) return { 'statusCode': 200, diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 index 776ea5030..a5c2daab3 100644 --- a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 +++ b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 @@ -16,7 +16,6 @@ ses_cli = boto3.client('ses', region_name="{{ _aws_region }}") def lambda_handler(event, context): - mail_title = "" mail_body = "" print("Gathering instance id.") @@ -79,7 +78,6 @@ def lambda_handler(event, context): ) print(c_res['StandardOutputContent']) - mail_title = "Success: " + ec2_with_access instance_message = "RDS instance " + ec2_with_access + " was restored.\n" conn_message = "Able to get information from " + new_endpoint + ":\n" mail_body=instance_message + conn_message + c_res['StandardOutputContent'] @@ -91,33 +89,7 @@ def lambda_handler(event, context): ValidationStatusMessage="" ) - print("Sending email!") - response = ses_cli.send_email( - Destination={ - 'BccAddresses': [ - ], - 'CcAddresses': [], - 'ToAddresses': [ - 'sysadm@codeenigma.com' - ], - }, - Message={ - 'Body': { - 'Text': { - 'Charset': 'UTF-8', - 'Data': mail_body, - }, - }, - 'Subject': { - 'Charset': 'UTF-8', - 'Data': 'Lambda Backup validation: ' + mail_title, - }, - }, - # Need to replace "codeenigma.net" with _verified_domain variable - Source='Lambda Backup Validation ', - ) - - print(json.dumps(event)) + print(mail_body) return { 'statusCode': 200, diff --git a/roles/aws/aws_backup_validation/templates/validation_report.j2 b/roles/aws/aws_backup_validation/templates/validation_report.j2 new file mode 100644 index 000000000..ace8a7f9b --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/validation_report.j2 @@ -0,0 +1,128 @@ +import json +import boto3 +import socket +import time +import datetime + +# Defining Clients +backup_cli = boto3.client('backup', region_name="{{ _aws_region }}") +ses_cli = boto3.client('ses', region_name="{{ _aws_region }}") +ec2_cli = boto3.client('ec2', region_name="{{ _aws_region }}") +rds_cli = boto3.client('rds', region_name="{{ _aws_region }}") + +mail_title = "" +mail_body = "" + +# Debugger +#boto3.set_stream_logger('') + +def set_mail_body(success_restore, inst, instance_name, ami_id): + global mail_body + if success_restore: + mail_body+=instance_name + " was restored successfully from " + ami_id + ", " + else: + mail_body+=instance_name + " failed to restore from " + ami_id + ", " + + if inst['ValidationStatus'] == "SUCCESSFUL": + mail_body+= "and validation was successful! \n" + elif inst['ValidationStatus'] == "FAILED": + failed_validation=True + mail_body+= "but validation has failed with following message: \n" + mail_body+= inst['ValidationStatusMessage'] + elif inst['ValidationStatus'] == "TIMED_OUT": + failed_validation=True + mail_body+= "but validation timed out. \n" + else: + failed_validation=True + mail_body+="with unknown validation failure! \n" + +def lambda_handler(event, context): + instance_name = "" + success_restore = False + failed_validation = False + global mail_body + last_restore_valdation_date = (datetime.datetime.now() - datetime.timedelta(days=1)).strftime('%Y-%m-%d') + + print("Getting list of successful restoration.") + completed_jobs = backup_cli.list_restore_jobs( + ByCreatedAfter=last_restore_valdation_date, + ByStatus='COMPLETED' + ) + + print("Getting instance details.") + for inst in completed_jobs['RestoreJobs']: + success_restore = True + print("Getting instance arn.") + ami_arn = inst['RecoveryPointArn'].split(':')[2] + + if ami_arn == 'ec2': + ami_id = inst['RecoveryPointArn'].split('/')[-1] + instance_details = ec2_cli.describe_images( + ImageIds=[ami_id] + ) + for tag in instance_details['Images'][0]['Tags']: + if tag['Key'] == 'Name': + instance_name = tag['Value'] + + elif ami_arn == 'rds': + ami_id = inst['RecoveryPointArn'].split('snapshot:')[-1] + instance_details = rds_cli.describe_db_snapshots( + DBSnapshotIdentifier=ami_id + ) + print(instance_details) + for tag in instance_details['DBSnapshots'][0]['TagList']: + if tag['Key'] == 'Name': + instance_name = tag['Value'] + + else: + ami_id = 'Probably EFS' + instance_name = 'latest snapshot' + + set_mail_body(success_restore, inst, instance_name, ami_id) + + print(mail_body) + + failed_jobs = backup_cli.list_restore_jobs( + ByCreatedAfter=last_restore_valdation_date, + ByStatus='FAILED' + ) + + if len(failed_jobs['RestoreJobs']) > 0: + mail_title = "Failed!" + else: + mail_title = "Success!" + print("Successful restore jobs:") + print(completed_jobs['RestoreJobs']) + + print("Failed restore jobs:") + print(failed_jobs['RestoreJobs']) + + print("Sending email!") + response = ses_cli.send_email( + Destination={ + 'BccAddresses': [ + ], + 'CcAddresses': [], + 'ToAddresses': [ + 'sysadm@codeenigma.com' + ], + }, + Message={ + 'Body': { + 'Text': { + 'Charset': 'UTF-8', + 'Data': mail_body, + }, + }, + 'Subject': { + 'Charset': 'UTF-8', + 'Data': 'Lambda Backup validation: ' + mail_title, + }, + }, + Source='Lambda Backup Validation ', + ) + + return { + 'statusCode': 200, + 'body': event + } diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index afd84b496..7f24ebb64 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -23,7 +23,7 @@ postfix: protocols: all relayhost: "" transport_maps: # see Postfix manual examples - https://www.postfix.org/transport.5.html - - "* discard :" + - "* discard" use_dkim: false # AWS SES config - to authenticate with an IAM user see https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html use_ses: false From 3ea00faa689b7d83e4a2b81b725168772e6b8ade Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 4 Dec 2024 19:22:11 +0100 Subject: [PATCH 268/331] Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. --- .github/workflows/ce-provision-test-web.yml | 8 ++++---- ce-dev/ansible/plays/_common/setup.yml | 20 +++++++++++++++++++ ce-dev/ansible/test.sh | 12 +++++++---- .../ansible/vars/provision/ce_provision.yml | 2 +- ce-dev/ansible/vars/web/php.yml | 5 ++++- ce-dev/ce-dev.compose.yml | 6 ++++++ docs/roles/debian/php-fpm.md | 2 +- .../debian/php-common/templates/sury.pref.j2 | 2 +- roles/debian/php-fpm/README.md | 2 +- roles/debian/php-fpm/defaults/main.yml | 2 +- scripts/_common.sh | 15 ++++++++++++-- 11 files changed, 60 insertions(+), 16 deletions(-) create mode 100644 ce-dev/ansible/plays/_common/setup.yml diff --git a/.github/workflows/ce-provision-test-web.yml b/.github/workflows/ce-provision-test-web.yml index 55a6942f4..e78a140d0 100644 --- a/.github/workflows/ce-provision-test-web.yml +++ b/.github/workflows/ce-provision-test-web.yml @@ -10,7 +10,7 @@ jobs: # Name the Job name: Run tests against Ansible code base # Set the type of machine to run on - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: # Checks out a copy of your repository on the ubuntu-latest machine @@ -31,12 +31,12 @@ jobs: sudo mv ./mkcert /usr/local/bin && cd ../ sudo chmod +x /usr/local/bin/mkcert rm -Rf mkcert - curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/1.x/install.sh | /bin/sh -s -- linux + curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux # Uses the ce-dev stack to run a test provision - name: Run a test provision if: ${{ github.event.pull_request.head.ref != 'documentation' }} run: | - git clone --branch 1.x https://github.com/codeenigma/ce-dev-ce-provision-config.git config - /bin/bash ce-dev/ansible/test.sh --examples web --own-branch ${{ github.event.pull_request.base.ref }} --config-branch ${{ github.event.pull_request.base.ref }} + git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config + /bin/bash ce-dev/ansible/test.sh --examples web --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} shell: bash diff --git a/ce-dev/ansible/plays/_common/setup.yml b/ce-dev/ansible/plays/_common/setup.yml new file mode 100644 index 000000000..59135624b --- /dev/null +++ b/ce-dev/ansible/plays/_common/setup.yml @@ -0,0 +1,20 @@ +--- +# Run the _init role to correctly install Ansible first. +- hosts: provision-target + become: true + + vars: + project_name: blank + is_local: true + _ce_provision_base_dir: /home/ce-dev/ce-provision + _init: + force_play: true + vars_dirs: + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common" + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _exit diff --git a/ce-dev/ansible/test.sh b/ce-dev/ansible/test.sh index 61124de0a..ebf637089 100755 --- a/ce-dev/ansible/test.sh +++ b/ce-dev/ansible/test.sh @@ -94,15 +94,19 @@ provision-target provision-privileged EOT PROVISION_CMD="/bin/sh /home/ce-dev/ce-provision/scripts/provision.sh" - echo "# Executing $1 project" - PROVISION_CMD="$PROVISION_CMD --repo dummy --branch dummy --workspace /home/ce-dev/ce-provision/ce-dev/ansible --playbook plays/$1/$1.yml --own-branch $2 --config-branch $3 --force" if [ $VERBOSE = true ]; then echo "# In verbose mode" PROVISION_CMD="$PROVISION_CMD --verbose" fi - echo "# Running command: $PROVISION_CMD" + echo "# Executing $1 project" + PROVISION_EXEC="$PROVISION_CMD --repo dummy --branch dummy --workspace /home/ce-dev/ce-provision/ce-dev/ansible --playbook plays/_common/setup.yml --own-branch $2 --config-branch $3 --force" + echo "# Installing Ansible in a venv: $PROVISION_EXEC" + # shellcheck disable=SC2086 + sudo docker exec -t --workdir /home/ce-dev/ce-provision --user ce-dev provision-controller $PROVISION_EXEC + PROVISION_EXEC="$PROVISION_CMD --python-interpreter /home/ce-dev/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/ce-dev/ce-provision/ce-dev/ansible --playbook plays/$1/$1.yml --own-branch $2 --config-branch $3 --force" + echo "# Running command: $PROVISION_EXEC" # shellcheck disable=SC2086 - sudo docker exec -t --workdir /home/ce-dev/ce-provision --user ce-dev provision-controller $PROVISION_CMD + sudo docker exec -t --workdir /home/ce-dev/ce-provision --user ce-dev provision-controller $PROVISION_EXEC echo "### $1 project completed ###" } diff --git a/ce-dev/ansible/vars/provision/ce_provision.yml b/ce-dev/ansible/vars/provision/ce_provision.yml index 4819f04c5..15dcb2705 100644 --- a/ce-dev/ansible/vars/provision/ce_provision.yml +++ b/ce-dev/ansible/vars/provision/ce_provision.yml @@ -6,7 +6,7 @@ ce_provision: own_repository_branch: "devel-2.x" own_repository_skip_checkout: true config_repository: "https://github.com/codeenigma/ce-dev-ce-provision-config.git" - config_repository_branch: "1.x" + config_repository_branch: "devel-2.x" config_repository_skip_checkout: true local_dir: "/home/ce-dev/ce-provision" galaxy_custom_requirements_file: "/home/ce-dev/ce-provision/ce-dev/ansible/vars/provision/galaxy-requirements.yml" diff --git a/ce-dev/ansible/vars/web/php.yml b/ce-dev/ansible/vars/web/php.yml index e77d64b22..e6f4aeeb2 100644 --- a/ce-dev/ansible/vars/web/php.yml +++ b/ce-dev/ansible/vars/web/php.yml @@ -1,3 +1,6 @@ php: version: - - 8.1 \ No newline at end of file + - 8.1 + # GitHub Actions doesn't make ansible_facts for CPU info available + fpm: + max_children: 5 diff --git a/ce-dev/ce-dev.compose.yml b/ce-dev/ce-dev.compose.yml index 78a4ac0f8..f512e6176 100644 --- a/ce-dev/ce-dev.compose.yml +++ b/ce-dev/ce-dev.compose.yml @@ -11,6 +11,8 @@ services: x-ce_dev: {} volumes: - ../:/home/ce-dev/ce-provision + platform: linux/amd64 + cgroup: host target: image: codeenigma/ce-dev-1.x:devel x-ce_dev: @@ -21,6 +23,8 @@ services: - 443 cap_add: - NET_ADMIN + platform: linux/amd64 + cgroup: host privileged: image: codeenigma/ce-dev-1.x:devel x-ce_dev: @@ -32,3 +36,5 @@ services: - 443 cap_add: - NET_ADMIN + platform: linux/amd64 + cgroup: host diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index 1c6484680..063e97276 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" + max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php-common/templates/sury.pref.j2 b/roles/debian/php-common/templates/sury.pref.j2 index 582556999..c42729d7e 100644 --- a/roles/debian/php-common/templates/sury.pref.j2 +++ b/roles/debian/php-common/templates/sury.pref.j2 @@ -1,3 +1,3 @@ Package: * Pin: origin packages.sury.org/deb/ -Pin-Priority: 1101 \ No newline at end of file +Pin-Priority: 1101 diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index 1c6484680..063e97276 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" + max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index bd11bd594..120525f84 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -13,7 +13,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.processor_vcpus * 2, 64] | min] | max }}" + max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/scripts/_common.sh b/scripts/_common.sh index 8ab48b9ad..2eb8d4197 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -154,14 +154,25 @@ cleanup_build_tmp_dir(){ rm -rf "$BUILD_TMP_DIR" fi } + # Trigger actual Ansible job. ansible_play(){ if [ -z "$ANSIBLE_PATH" ]; then if [ "$LINT" = "yes" ]; then # apt repo installed - ANSIBLE_BIN=$(command -v ansible-lint) + if ! command -v ansible-lint; then + echo "### Could not find ansible-lint - Exiting! ###" + exit 1 + else + ANSIBLE_BIN=$(command -v ansible-lint) + fi else - ANSIBLE_BIN=$(command -v ansible-playbook) + if ! command -v ansible-playbook; then + echo "### Could not find ansible-playbook - Exiting! ###" + exit 1 + else + ANSIBLE_BIN=$(command -v ansible-playbook) + fi fi else if [ "$LINT" = "yes" ]; then From c63908cc6e1899e5921d4268598d6120c606f9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Dec 2024 05:00:55 +0100 Subject: [PATCH 269/331] Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup/tasks/backup_plan.yml | 1 + roles/aws/aws_backup/tasks/resource.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/aws/aws_backup/tasks/backup_plan.yml b/roles/aws/aws_backup/tasks/backup_plan.yml index f74d164e9..4b5c32320 100644 --- a/roles/aws/aws_backup/tasks/backup_plan.yml +++ b/roles/aws/aws_backup/tasks/backup_plan.yml @@ -45,6 +45,7 @@ ansible.builtin.include_role: name: aws/aws_backup_validation tasks_from: restore_testing_plan + when: _env_type != "dev" - name: Tidy up and remove the yaml input file. ansible.builtin.file: diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 5343fca11..5dc3c359a 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -69,3 +69,4 @@ ansible.builtin.include_role: name: aws/aws_backup_validation tasks_from: testing_resources + when: _env_type != "dev" From 019107f291df23f38ad9e2fce475ad3286804506 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 5 Dec 2024 09:13:55 +0100 Subject: [PATCH 270/331] Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades --- docs/roles/debian/nodejs.md | 4 ++-- roles/debian/nodejs/README.md | 4 ++-- roles/debian/nodejs/defaults/main.yml | 4 ++-- roles/debian/nodejs/tasks/main.yml | 5 ++--- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/roles/debian/nodejs.md b/docs/roles/debian/nodejs.md index 1931faa13..0e4624ee1 100644 --- a/docs/roles/debian/nodejs.md +++ b/docs/roles/debian/nodejs.md @@ -8,8 +8,8 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo - apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/README.md b/roles/debian/nodejs/README.md index 1931faa13..0e4624ee1 100644 --- a/roles/debian/nodejs/README.md +++ b/roles/debian/nodejs/README.md @@ -8,8 +8,8 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo - apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index c2103ced1..7e2324abf 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -1,8 +1,8 @@ --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo - apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 027659df7..3128b7bb8 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -4,16 +4,15 @@ name: debian/apt_repository vars: apt_repository: - legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {{ ansible_distribution_release }} main" + legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} nodistro main" format: deb822 name: nodejs types: - deb - - deb-src uris: - "https://deb.nodesource.com/node_{{ nodejs.version }}" signed_by: "{{ nodejs.apt_signed_by_nodejs }}" - suites: "{{ ansible_distribution_release }}" + suites: "nodistro" components: - main state: present From 2551c45711865e59516065f6bd8dc6d5fc2ae196 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:07:56 +0100 Subject: [PATCH 271/331] r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar --- docs/roles/aws/aws_acl.md | 6 +++--- docs/roles/debian/nodejs.md | 2 +- roles/aws/aws_acl/README.md | 6 +++--- roles/aws/aws_acl/defaults/main.yml | 6 +++--- roles/aws/aws_acl/tasks/bot_control.yml | 2 +- roles/aws/aws_acl/tasks/main.yml | 2 +- roles/debian/nodejs/README.md | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index 18ee0bdaa..b524c7f00 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -21,12 +21,12 @@ aws_acl: ip_sets: - rule_name: "Allowed-IPs-rule" set_name: "Allowed-IPs-set" - description: "List of IPs from our VPNs - Ansible managed" + description: "List of IPs to whitelist - Ansible managed" action: allow priority: 1 list: - - 3.11.82.252/32 # main VPN - - 159.100.242.248/32 # backup VPN, bastion2 + - 1.1.1.1/32 + - 2.2.2.2/32 country_codes: - name: "allowed-countries" action: allow diff --git a/docs/roles/debian/nodejs.md b/docs/roles/debian/nodejs.md index 0e4624ee1..c121efb58 100644 --- a/docs/roles/debian/nodejs.md +++ b/docs/roles/debian/nodejs.md @@ -8,7 +8,7 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 18ee0bdaa..b524c7f00 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -21,12 +21,12 @@ aws_acl: ip_sets: - rule_name: "Allowed-IPs-rule" set_name: "Allowed-IPs-set" - description: "List of IPs from our VPNs - Ansible managed" + description: "List of IPs to whitelist - Ansible managed" action: allow priority: 1 list: - - 3.11.82.252/32 # main VPN - - 159.100.242.248/32 # backup VPN, bastion2 + - 1.1.1.1/32 + - 2.2.2.2/32 country_codes: - name: "allowed-countries" action: allow diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 73bf1ad91..4970f9b08 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -12,12 +12,12 @@ aws_acl: ip_sets: - rule_name: "Allowed-IPs-rule" set_name: "Allowed-IPs-set" - description: "List of IPs from our VPNs - Ansible managed" + description: "List of IPs to whitelist - Ansible managed" action: allow priority: 1 list: - - 3.11.82.252/32 # main VPN - - 159.100.242.248/32 # backup VPN, bastion2 + - 1.1.1.1/32 + - 2.2.2.2/32 country_codes: - name: "allowed-countries" action: allow diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index 38f713387..d81296151 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -129,7 +129,7 @@ - name: Set priority. ansible.builtin.include_tasks: set_priority_dict.yml vars: - _priority: "{{ bot_control.priority }}" + _priority: "{{ _acl.rules.bot_control.priority }}" - name: Append priority to rule. ansible.builtin.set_fact: diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index d432c1d82..4da2e4a65 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -6,6 +6,6 @@ loop_control: loop_var: _acl -- name: Set ACL to CF/ALB. +- name: Set ACL to CF/ALB if dict is passed. ansible.builtin.include_tasks: set_acl.yml when: aws_acl | type_debug == 'dict' diff --git a/roles/debian/nodejs/README.md b/roles/debian/nodejs/README.md index 0e4624ee1..c121efb58 100644 --- a/roles/debian/nodejs/README.md +++ b/roles/debian/nodejs/README.md @@ -8,7 +8,7 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg From 1042aa14a380eadab7a7e3ea6ce81e6a8a700076 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Dec 2024 16:00:36 +0100 Subject: [PATCH 272/331] r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar --- docs/roles/aws/aws_acl.md | 1 + roles/aws/aws_acl/README.md | 1 + roles/aws/aws_acl/defaults/main.yml | 1 + roles/aws/aws_acl/tasks/main.yml | 4 +++- 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index b524c7f00..f802c46a2 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -14,6 +14,7 @@ aws_acl: scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" tags: "{{ _aws_tags }}" + recreate: false # set to true to creating the ACL rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index b524c7f00..f802c46a2 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -14,6 +14,7 @@ aws_acl: scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" tags: "{{ _aws_tags }}" + recreate: false # set to true to creating the ACL rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 4970f9b08..2757cffc6 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -5,6 +5,7 @@ aws_acl: scope: CLOUDFRONT # Can be REGIONAL for ALBs region: "us-east-1" tags: "{{ _aws_tags }}" + recreate: false # set to true to creating the ACL rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 4da2e4a65..d0bcda7f8 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,10 +1,12 @@ --- - name: Create ACLs when list is passed. ansible.builtin.include_tasks: create_acl.yml - when: aws_acl | type_debug == 'list' loop: "{{ aws_acl | list }}" loop_control: loop_var: _acl + when: + - aws_acl | type_debug == 'list' + - _acl.recreate is not defined or _acl.recreate - name: Set ACL to CF/ALB if dict is passed. ansible.builtin.include_tasks: set_acl.yml From 1f27e9e4ac9a17c2f413146f873e5c8e9c07a874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Dec 2024 17:58:22 +0100 Subject: [PATCH 273/331] Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup_validation/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index ecb9f5828..873524ada 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -92,6 +92,7 @@ tags: Name: "{{ item }}_backup_validation" register: _lambda_functions + failed_when: result.rc != 0 loop: "{{ aws_backup_validation.resources }}" - name: Create validation report functions @@ -106,6 +107,7 @@ role: "{{ _created_iam_lambda_role.iam_role.arn }}" handler: "validation_report.{{ aws_backup_validation.handler }}" register: _validation_report + failed_when: result.rc != 0 - name: Remove non UTF-8 item ansible.builtin.set_fact: From faf190d35f1eac61c8da1d156d32b565c84b316f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:08:07 +0100 Subject: [PATCH 274/331] Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_backup_validation/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 873524ada..c55ea39b0 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -92,7 +92,7 @@ tags: Name: "{{ item }}_backup_validation" register: _lambda_functions - failed_when: result.rc != 0 + failed_when: _lambda_functions.rc != 0 loop: "{{ aws_backup_validation.resources }}" - name: Create validation report functions @@ -107,7 +107,7 @@ role: "{{ _created_iam_lambda_role.iam_role.arn }}" handler: "validation_report.{{ aws_backup_validation.handler }}" register: _validation_report - failed_when: result.rc != 0 + failed_when: _validation_report.rc != 0 - name: Remove non UTF-8 item ansible.builtin.set_fact: From 997a693f8a8bd9359fe6bc73a98673d199f7f6a9 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 9 Dec 2024 05:38:18 +0100 Subject: [PATCH 275/331] Fixing-utf8 (#2129) --- roles/aws/aws_backup_validation/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index c55ea39b0..3c5d033bc 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -92,7 +92,7 @@ tags: Name: "{{ item }}_backup_validation" register: _lambda_functions - failed_when: _lambda_functions.rc != 0 + failed_when: _lambda_functions.rc | int != 0 loop: "{{ aws_backup_validation.resources }}" - name: Create validation report functions From d455a4fafa94f6e36bae710f018fe9e9e982bdfd Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 9 Dec 2024 06:35:55 +0100 Subject: [PATCH 276/331] Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug --- roles/aws/aws_backup_validation/tasks/main.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 3c5d033bc..c1a696bd2 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -78,6 +78,22 @@ dest: "{{ _ce_provision_build_dir }}/validation_report.zip" format: zip +- name: Debug variables to check for non-UTF-8 characters + debug: + msg: + - "Name: {{ aws_backup_validation.name }}" + - "Description: {{ aws_backup_validation.description }}" + - "Handler: {{ aws_backup_validation.handler }}" + - "Tags Name: {{ item }}_backup_validation" + +- name: Check for non-UTF-8 characters in variables + debug: + msg: + - "Name contains non-UTF-8 characters: {{ (aws_backup_validation.name | string | regex_search('[^\x00-\x7F]')) }}" + - "Description contains non-UTF-8 characters: {{ (aws_backup_validation.description | string | regex_search('[^\x00-\x7F]')) }}" + - "Handler contains non-UTF-8 characters: {{ (aws_backup_validation.handler | string | regex_search('[^\x00-\x7F]')) }}" + - "Tags Name contains non-UTF-8 characters: {{ (item | string | regex_search('[^\x00-\x7F]')) }}" + - name: Create Lambda functions amazon.aws.lambda: name: "{{ aws_backup_validation.name }}_{{ item }}" @@ -92,7 +108,7 @@ tags: Name: "{{ item }}_backup_validation" register: _lambda_functions - failed_when: _lambda_functions.rc | int != 0 + failed_when: "{{ (_lambda_functions.changed | default(false) | bool) == false }}" loop: "{{ aws_backup_validation.resources }}" - name: Create validation report functions From e7808827d914bbc2dda2194b40139d9ddbfa115e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:47:37 +0100 Subject: [PATCH 277/331] Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar --- .../aws_backup_validation/defaults/main.yml | 3 +- .../aws/aws_backup_validation/tasks/main.yml | 54 ++++++++++--------- 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/roles/aws/aws_backup_validation/defaults/main.yml b/roles/aws/aws_backup_validation/defaults/main.yml index 0ae695134..2e2632376 100644 --- a/roles/aws/aws_backup_validation/defaults/main.yml +++ b/roles/aws/aws_backup_validation/defaults/main.yml @@ -1,7 +1,8 @@ --- aws_backup_validation: + s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" name: "RestoreValidation" - description: "Restore validation for" + description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 runtime: "python3.12" handler: "lambda_handler" diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index c1a696bd2..cea43de51 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -33,16 +33,22 @@ - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores - "{{ _pass_role.policy.arn }}" -- name: Sleep for 20 seconds for IAM before Lambda creation +- name: Sleep for 10 seconds for IAM before Lambda creation ansible.builtin.wait_for: - timeout: 20 + timeout: 10 -# Not all clients have verified identity +# TODO: Not all clients have verified identity #- name: Get verified domain. # ansible.builtin.include_tasks: get_valid_email.yml - name: Clean and set python functions block: + - name: Create S3 bucket for lambda functions + amazon.aws.s3_bucket: + name: "{{ aws_backup_validation.s3_bucket }}" + region: "{{ _aws_region }}" + state: present + - name: Check and clean any previous backup validation files ansible.builtin.file: path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" @@ -78,29 +84,30 @@ dest: "{{ _ce_provision_build_dir }}/validation_report.zip" format: zip -- name: Debug variables to check for non-UTF-8 characters - debug: - msg: - - "Name: {{ aws_backup_validation.name }}" - - "Description: {{ aws_backup_validation.description }}" - - "Handler: {{ aws_backup_validation.handler }}" - - "Tags Name: {{ item }}_backup_validation" - -- name: Check for non-UTF-8 characters in variables - debug: - msg: - - "Name contains non-UTF-8 characters: {{ (aws_backup_validation.name | string | regex_search('[^\x00-\x7F]')) }}" - - "Description contains non-UTF-8 characters: {{ (aws_backup_validation.description | string | regex_search('[^\x00-\x7F]')) }}" - - "Handler contains non-UTF-8 characters: {{ (aws_backup_validation.handler | string | regex_search('[^\x00-\x7F]')) }}" - - "Tags Name contains non-UTF-8 characters: {{ (item | string | regex_search('[^\x00-\x7F]')) }}" + - name: Place backup validation functions in S3 bucket + amazon.aws.s3_object: + bucket: "{{ aws_backup_validation.s3_bucket }}" + object: "lambda-functions/{{ item }}_validation.zip" + src: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" + mode: put + loop: "{{ aws_backup_validation.resources }}" + + - name: Place report function in S3 bucket + amazon.aws.s3_object: + bucket: "{{ aws_backup_validation.s3_bucket }}" + object: "lambda-functions/validation_report.zip" + src: "{{ _ce_provision_build_dir }}/validation_report.zip" + mode: put + loop: "{{ aws_backup_validation.resources }}" - name: Create Lambda functions amazon.aws.lambda: name: "{{ aws_backup_validation.name }}_{{ item }}" - description: "{{ aws_backup_validation.description }} {{ item }} new comment to update function" + description: "{{ aws_backup_validation.description }}" region: "{{ _aws_region }}" timeout: "{{ aws_backup_validation.timeout }}" - zip_file: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" + s3_bucket: "{{ aws_backup_validation.s3_bucket }}" + s3_key: "lambda-functions/{{ item }}_validation.zip" state: present runtime: "{{ aws_backup_validation.runtime }}" role: "{{ _created_iam_lambda_role.iam_role.arn }}" @@ -108,22 +115,21 @@ tags: Name: "{{ item }}_backup_validation" register: _lambda_functions - failed_when: "{{ (_lambda_functions.changed | default(false) | bool) == false }}" loop: "{{ aws_backup_validation.resources }}" - name: Create validation report functions amazon.aws.lambda: name: "validation_report" - description: "Function that will send report about previous validations" + description: "{{ aws_backup_validation.description }}" region: "{{ _aws_region }}" timeout: 30 - zip_file: "{{ _ce_provision_build_dir }}/validation_report.zip" + s3_bucket: "{{ aws_backup_validation.s3_bucket }}" + s3_key: "lambda-functions/validation_report.zip" state: present runtime: "{{ aws_backup_validation.runtime }}" role: "{{ _created_iam_lambda_role.iam_role.arn }}" handler: "validation_report.{{ aws_backup_validation.handler }}" register: _validation_report - failed_when: _validation_report.rc != 0 - name: Remove non UTF-8 item ansible.builtin.set_fact: From 461792ddcd6fd475cd94f330a6c882eb4fa1c6bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 9 Dec 2024 18:09:49 +0100 Subject: [PATCH 278/331] Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar --- docs/roles/aws/aws_backup_validation.md | 3 ++- roles/aws/aws_backup_validation/README.md | 3 ++- roles/aws/aws_backup_validation/templates/validation_report.j2 | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/roles/aws/aws_backup_validation.md b/docs/roles/aws/aws_backup_validation.md index 3548fc7b0..1ca4f8487 100644 --- a/docs/roles/aws/aws_backup_validation.md +++ b/docs/roles/aws/aws_backup_validation.md @@ -10,8 +10,9 @@ Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets tri ```yaml --- aws_backup_validation: + s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" name: "RestoreValidation" - description: "Restore validation for" + description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 runtime: "python3.12" handler: "lambda_handler" diff --git a/roles/aws/aws_backup_validation/README.md b/roles/aws/aws_backup_validation/README.md index 3548fc7b0..1ca4f8487 100644 --- a/roles/aws/aws_backup_validation/README.md +++ b/roles/aws/aws_backup_validation/README.md @@ -10,8 +10,9 @@ Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets tri ```yaml --- aws_backup_validation: + s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" name: "RestoreValidation" - description: "Restore validation for" + description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 runtime: "python3.12" handler: "lambda_handler" diff --git a/roles/aws/aws_backup_validation/templates/validation_report.j2 b/roles/aws/aws_backup_validation/templates/validation_report.j2 index ace8a7f9b..9626042d6 100644 --- a/roles/aws/aws_backup_validation/templates/validation_report.j2 +++ b/roles/aws/aws_backup_validation/templates/validation_report.j2 @@ -116,7 +116,7 @@ def lambda_handler(event, context): }, 'Subject': { 'Charset': 'UTF-8', - 'Data': 'Lambda Backup validation: ' + mail_title, + 'Data': 'Restore testing - {{ _aws_profile }}: ' + mail_title, }, }, Source='Lambda Backup Validation ', From f969f1b9c9c7439727750d5d04074c9b1e9e41bd Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 11 Dec 2024 05:47:52 +0100 Subject: [PATCH 279/331] Adding-defaults-to-max-children (#2141) --- roles/debian/php-fpm/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 120525f84..0019ccb7c 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -13,7 +13,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" + max_children: "{{ [5, [ansible_facts.ansible_processor_nproc | default(1)] * 2, 64] | min } | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From 83157d12e2de5ee193694fead211ed00c348f339 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Wed, 11 Dec 2024 06:41:46 +0100 Subject: [PATCH 280/331] Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children --- roles/debian/php-fpm/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 0019ccb7c..8de9a5fe0 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -13,7 +13,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc | default(1)] * 2, 64] | min } | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [5, (ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From 2740a8a154d06809fb06bbcb6cdaa88a0fcc2938 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:58:57 +0100 Subject: [PATCH 281/331] Updating-php-defaults (#2145) --- roles/debian/php-fpm/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 8de9a5fe0..9eaa195e7 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -13,7 +13,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, (ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [5, (ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From e52a5468e854c1843dda339fac416f76d7785b29 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 13 Dec 2024 06:46:14 +0100 Subject: [PATCH 282/331] Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults --- roles/debian/php-fpm/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 9eaa195e7..12b52dac7 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -13,7 +13,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, (ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From e8b9b637bd32146d794cf22937be34c7572f07c5 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:31:00 +0200 Subject: [PATCH 283/331] efs_version_fix_for_old_debian_workaround (#2151) --- roles/debian/aws_efs_client/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/aws_efs_client/defaults/main.yml b/roles/debian/aws_efs_client/defaults/main.yml index 9450c4ff7..091662e43 100644 --- a/roles/debian/aws_efs_client/defaults/main.yml +++ b/roles/debian/aws_efs_client/defaults/main.yml @@ -4,7 +4,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 2.1.0 # version of AWS EFS utils to use + version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default. build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html From 653c23ee2d29e59491f51c0870488157ed31e927 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Tue, 17 Dec 2024 17:35:27 +0100 Subject: [PATCH 284/331] fix(duplicity): Fix file name of include/exclude list (#2152) --- roles/debian/duplicity/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index 4a06b5857..7f7182e90 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -101,7 +101,7 @@ - name: Copy include-exclude filelist. ansible.builtin.template: src: include-exclude-filelist.j2 - dest: "{{ duplicity.install_dir }}/etc/{{ dir.name }}-include-filelist" + dest: "{{ duplicity.install_dir }}/etc/{{ dir.name }}-include-exclude-filelist" owner: root group: root mode: 0644 From af394a8a855b258b26689540d4a226eb24bc8aec Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 18 Dec 2024 15:34:55 +0100 Subject: [PATCH 285/331] Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. --- .../workflows/ce-provision-test-gitlab.yml | 42 ++++ .../ce-provision-test-gitlab.yml.NOPE | 42 ---- .github/workflows/ce-provision-test-web.yml | 54 ++--- ce-dev/ansible/plays/gitlab/ci.yml | 37 +++ ce-dev/ansible/plays/gitlab/gitlab.yml | 16 +- ce-dev/ansible/plays/web/ci.yml | 22 ++ ce-dev/ansible/vars/gitlab/gitlab_runner.yml | 2 + docs/roles/_init.md | 9 +- docs/roles/debian/aws_efs_client.md | 2 +- docs/roles/debian/ce_deploy.md | 2 +- docs/roles/debian/gitlab.md | 1 + docs/roles/debian/php-fpm.md | 2 +- install.sh | 222 +++++++++++------- roles/_exit/tasks/main.yml | 1 + roles/_init/README.md | 9 +- roles/_init/defaults/main.yml | 9 +- roles/_init/tasks/main.yml | 6 +- roles/debian/ansible/tasks/main.yml | 4 +- roles/debian/ansible_galaxy/tasks/main.yml | 4 +- roles/debian/apt_repository/tasks/main.yml | 1 + roles/debian/aws_efs_client/README.md | 2 +- roles/debian/ce_deploy/README.md | 2 +- roles/debian/ce_deploy/defaults/main.yml | 2 +- roles/debian/gitlab/README.md | 1 + roles/debian/gitlab/defaults/main.yml | 1 + roles/debian/gitlab/tasks/main.yml | 29 +-- .../gitlab/templates/gitlab-config.rb.j2 | 4 - roles/debian/gitlab_runner/tasks/main.yml | 2 +- roles/debian/jitsi/tasks/main.yml | 2 +- roles/debian/locales/tasks/main.yml | 2 +- .../mysql_server_mariadb/tasks/main.yml | 4 +- .../mysql_server_oracle_ce/tasks/main.yml | 4 +- roles/debian/nginx/templates/drupal10.j2 | 2 +- roles/debian/nginx/templates/drupal_common.j2 | 2 +- roles/debian/nginx/templates/mautic.j2 | 2 +- roles/debian/php-fpm/README.md | 2 +- roles/debian/php_blackfire/defaults/main.yml | 2 + roles/debian/php_blackfire/tasks/main.yml | 8 +- roles/debian/postfix/tasks/main.yml | 7 +- roles/debian/postfix/templates/main.cf.j2 | 2 +- roles/debian/user_deploy/defaults/main.yml | 2 +- roles/debian/user_provision/defaults/main.yml | 2 +- 42 files changed, 352 insertions(+), 221 deletions(-) create mode 100644 .github/workflows/ce-provision-test-gitlab.yml delete mode 100644 .github/workflows/ce-provision-test-gitlab.yml.NOPE create mode 100644 ce-dev/ansible/plays/gitlab/ci.yml create mode 100644 ce-dev/ansible/plays/web/ci.yml create mode 100644 ce-dev/ansible/vars/gitlab/gitlab_runner.yml diff --git a/.github/workflows/ce-provision-test-gitlab.yml b/.github/workflows/ce-provision-test-gitlab.yml new file mode 100644 index 000000000..bd50e7233 --- /dev/null +++ b/.github/workflows/ce-provision-test-gitlab.yml @@ -0,0 +1,42 @@ +name: Run GitLab server test build + +# Run this workflow nightly and every time a new commit pushed to your repository +on: + schedule: + - cron: '30 4 * * *' + pull_request: + +jobs: + # Set the job key. The key is displayed as the job name + # when a job name is not provided + test-gitlab: + if: ${{ github.event.pull_request.head.ref != 'documentation' }} + # Name the Job + name: Build a GitLab server with ce-provision + # Set the type of machine to run on + runs-on: ubuntu-latest + + # Use our ce-dev Debian base container + container: + image: codeenigma/ce-dev:2.x + volumes: + - ${{ github.workspace }}:/home/controller + + steps: + - name: Install ce-provision + run: | + /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/chmod +x ./install.sh + /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall + + # Run a GitLab server provision + - name: Prepare Git repos on disk + run: | + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config + + - name: Start SSHD + run: /usr/sbin/sshd& + + - name: Provision a test GitLab server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/gitlab/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force" diff --git a/.github/workflows/ce-provision-test-gitlab.yml.NOPE b/.github/workflows/ce-provision-test-gitlab.yml.NOPE deleted file mode 100644 index 8b171062e..000000000 --- a/.github/workflows/ce-provision-test-gitlab.yml.NOPE +++ /dev/null @@ -1,42 +0,0 @@ -name: Run GitLab server test build - -# Run this workflow every time a new commit pushed to your repository -on: pull_request - -jobs: - # Set the job key. The key is displayed as the job name - # when a job name is not provided - test-gitlab: - # Name the Job - name: Run tests against Ansible code base - # Set the type of machine to run on - runs-on: ubuntu-latest - - steps: - # Checks out a copy of your repository on the ubuntu-latest machine - - name: Checkout code - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - uses: actions/checkout@v2 - - # Installs the ce-dev stack - - name: Install ce-dev - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - run: | - cd /tmp - wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz - sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz - export PATH=$PATH:/usr/local/go/bin - git clone https://github.com/FiloSottile/mkcert && cd mkcert - go build -ldflags "-X main.Version=$(git describe --tags)" - sudo mv ./mkcert /usr/local/bin && cd ../ - sudo chmod +x /usr/local/bin/mkcert - rm -Rf mkcert - curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/1.x/install.sh | /bin/sh -s -- linux - - # Uses the ce-dev stack to run a test provision - - name: Run a test provision - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - run: | - git clone --branch 1.x https://github.com/codeenigma/ce-dev-ce-provision-config.git config - /bin/bash ce-dev/ansible/test.sh --examples gitlab --own-branch ${{ github.event.pull_request.base.ref }} --config-branch ${{ github.event.pull_request.base.ref }} - shell: bash diff --git a/.github/workflows/ce-provision-test-web.yml b/.github/workflows/ce-provision-test-web.yml index e78a140d0..54421cd40 100644 --- a/.github/workflows/ce-provision-test-web.yml +++ b/.github/workflows/ce-provision-test-web.yml @@ -1,42 +1,42 @@ name: Run web server test build -# Run this workflow every time a new commit pushed to your repository -on: pull_request +# Run this workflow nightly and every time a new commit pushed to your repository +on: + schedule: + - cron: '30 4 * * *' + pull_request: jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided test-web: + if: ${{ github.event.pull_request.head.ref != 'documentation' }} # Name the Job - name: Run tests against Ansible code base + name: Build a web server with ce-provision # Set the type of machine to run on runs-on: ubuntu-latest - steps: - # Checks out a copy of your repository on the ubuntu-latest machine - - name: Checkout code - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - uses: actions/checkout@v2 + # Use our ce-dev Debian base container + container: + image: codeenigma/ce-dev:2.x + volumes: + - ${{ github.workspace }}:/home/controller - # Installs the ce-dev stack - - name: Install ce-dev - if: ${{ github.event.pull_request.head.ref != 'documentation' }} + steps: + - name: Install ce-provision run: | - cd /tmp - wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz - sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz - export PATH=$PATH:/usr/local/go/bin - git clone https://github.com/FiloSottile/mkcert && cd mkcert - go build -ldflags "-X main.Version=$(git describe --tags)" - sudo mv ./mkcert /usr/local/bin && cd ../ - sudo chmod +x /usr/local/bin/mkcert - rm -Rf mkcert - curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux + /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/chmod +x ./install.sh + /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall - # Uses the ce-dev stack to run a test provision - - name: Run a test provision - if: ${{ github.event.pull_request.head.ref != 'documentation' }} + # Run a web server provision + - name: Prepare Git repos on disk run: | - git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config - /bin/bash ce-dev/ansible/test.sh --examples web --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} - shell: bash + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config + + - name: Start SSHD + run: /usr/sbin/sshd& + + - name: Provision a test web server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/web/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force" diff --git a/ce-dev/ansible/plays/gitlab/ci.yml b/ce-dev/ansible/plays/gitlab/ci.yml new file mode 100644 index 000000000..eb61f611f --- /dev/null +++ b/ce-dev/ansible/plays/gitlab/ci.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + become: true + + vars: + project_name: gitlab + is_local: true + _ce_provision_base_dir: /home/ce-dev/ce-provision + _init: + force_play: true + vars_dirs: + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common" + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: debian/user_provision + - ansible.builtin.import_role: + name: _meta/common_base + - ansible.builtin.import_role: + name: debian/ce_deploy + - ansible.builtin.import_role: + name: aws/aws_credentials + - ansible.builtin.import_role: + name: debian/gitlab + - ansible.builtin.import_role: + name: debian/gitlab_runner + - ansible.builtin.import_role: + name: debian/ssh_server + - ansible.builtin.import_role: + name: debian/sops + - ansible.builtin.import_role: + name: debian/gpg_key + - ansible.builtin.import_role: + name: _exit diff --git a/ce-dev/ansible/plays/gitlab/gitlab.yml b/ce-dev/ansible/plays/gitlab/gitlab.yml index 262a16f6c..020c4502f 100644 --- a/ce-dev/ansible/plays/gitlab/gitlab.yml +++ b/ce-dev/ansible/plays/gitlab/gitlab.yml @@ -16,24 +16,24 @@ - ansible.builtin.import_role: name: _init - ansible.builtin.import_role: - name: user_provision + name: debian/user_provision - ansible.builtin.import_role: name: _meta/common_base - ansible.builtin.import_role: - name: ce_deploy + name: debian/ce_deploy - ansible.builtin.import_role: name: aws/aws_credentials - ansible.builtin.import_role: - name: gitlab + name: debian/gitlab - ansible.builtin.import_role: - name: gitlab_runner + name: debian/gitlab_runner - ansible.builtin.import_role: - name: ssh_server + name: debian/ssh_server - ansible.builtin.import_role: - name: sops + name: debian/sops - ansible.builtin.import_role: - name: gpg_key + name: debian/gpg_key - ansible.builtin.import_role: - name: firewall_config + name: debian/firewall_config - ansible.builtin.import_role: name: _exit diff --git a/ce-dev/ansible/plays/web/ci.yml b/ce-dev/ansible/plays/web/ci.yml new file mode 100644 index 000000000..94bd2f49f --- /dev/null +++ b/ce-dev/ansible/plays/web/ci.yml @@ -0,0 +1,22 @@ +--- +# Spin up a "web" instance. +- hosts: localhost + become: true + + vars: + project_name: web + is_local: true + _ce_provision_base_dir: /home/ce-dev/ce-provision + _init: + force_play: true + vars_dirs: + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common" + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _meta/webserver + - ansible.builtin.import_role: + name: _exit diff --git a/ce-dev/ansible/vars/gitlab/gitlab_runner.yml b/ce-dev/ansible/vars/gitlab/gitlab_runner.yml new file mode 100644 index 000000000..721b65ab0 --- /dev/null +++ b/ce-dev/ansible/vars/gitlab/gitlab_runner.yml @@ -0,0 +1,2 @@ +gitlab_runner: + restart: false # no systemd in CI containers diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 0f40180e3..e619e5656 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -9,7 +9,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -25,8 +28,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/docs/roles/debian/aws_efs_client.md b/docs/roles/debian/aws_efs_client.md index 0711f04d9..5fc392261 100644 --- a/docs/roles/debian/aws_efs_client.md +++ b/docs/roles/debian/aws_efs_client.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 2.1.0 # version of AWS EFS utils to use + version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default. build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 90aa38931..743cbf8cd 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -8,7 +8,7 @@ Installs Code Enigma's deploy stack on a server. ```yaml --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index c02282fd2..f4b11638b 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -38,6 +38,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index 063e97276..443ffbf87 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" + max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/install.sh b/install.sh index 5ff21ac82..7ca8822d0 100755 --- a/install.sh +++ b/install.sh @@ -6,19 +6,21 @@ set -e . /etc/os-release usage(){ - echo 'install.sh [OPTIONS]' - echo 'Install the latest ce-provision version, or the version specified as option.' - echo 'Please ensure you are using Debian Linux or similar and at least Bullseye (11) or higher.' - echo '' - echo 'Available options:' - echo '--version: ce-provision version to use (default: 2.x)' - echo '--user: Ansible controller user (default: controller)' - echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' - echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' - echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' - echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' - echo '--aws: enable AWS support' - echo '' + /usr/bin/echo 'install.sh [OPTIONS]' + /usr/bin/echo 'Install the latest ce-provision version, or the version specified as option.' + /usr/bin/echo 'Please ensure you are using Debian Linux or similar and at least Bullseye (11) or higher.' + /usr/bin/echo '' + /usr/bin/echo 'Available options:' + /usr/bin/echo '--version: ce-provision version to use (default: 2.x)' + /usr/bin/echo '--user: Ansible controller user (default: controller)' + /usr/bin/echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' + /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' + /usr/bin/echo '--no-firewall: skip installing iptables with ports 22, 80 and 443 open' + /usr/bin/echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' + /usr/bin/echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' + /usr/bin/echo '--aws: enable AWS support' + /usr/bin/echo '--docker: script is running in a Docker container' + /usr/bin/echo '' } # Parse options arguments. @@ -48,9 +50,15 @@ parse_options(){ "--letsencrypt") LE_SUPPORT="yes" ;; + "--no-firewall") + FIREWALL="false" + ;; "--aws") AWS_SUPPORT="true" ;; + "--docker") + IS_LOCAL="true" + ;; *) usage exit 1 @@ -67,8 +75,11 @@ CONFIG_REPO="https://github.com/codeenigma/ce-provision-config-example.git" CONFIG_REPO_BRANCH="1.x" GITLAB_URL="no" LE_SUPPORT="no" +FIREWALL="true" AWS_SUPPORT="false" +IS_LOCAL="false" SERVER_HOSTNAME=$(hostname) +ANSIBLE_COMMAND="" # Parse options. parse_options "$@" @@ -83,76 +94,80 @@ if [ "$(id -u)" -ne 0 ] then echo "Please run this script as root or using sudo!" exit fi - + # Check we are using a compatible Linux distribution. +/usr/bin/echo "-------------------------------------------------" if [ "$ID" != "debian" ]; then if [ "$ID_LIKE" != "debian" ]; then - echo "ce-provision only supports Debian Linux and derivatives." + /usr/bin/echo "ce-provision only supports Debian Linux and derivatives." exit 0 else - echo "ce-provision works best with Debian Linux, it may work with this distro but no promises!" - echo "-------------------------------------------------" - echo "Carrying on regardless..." - echo "-------------------------------------------------" + /usr/bin/echo "ce-provision works best with Debian Linux, it may work with this distro but no promises!" + /usr/bin/echo "-------------------------------------------------" + /usr/bin/echo "Carrying on regardless..." + /usr/bin/echo "-------------------------------------------------" fi fi -echo "Beginning ce-provision installation." -echo "-------------------------------------------------" +/usr/bin/echo "Beginning ce-provision installation." +/usr/bin/echo "-------------------------------------------------" # Create required user. -echo "Check if user named $CONTROLLER_USER exists." +/usr/bin/echo "Check if user named $CONTROLLER_USER exists." # Check if user exists -if id "$CONTROLLER_USER" >/dev/null 2>&1; then - echo "The user named $CONTROLLER_USER already exists. Skipping." +if /usr/bin/id "$CONTROLLER_USER" >/dev/null 2>&1; then + /usr/bin/echo "The user named $CONTROLLER_USER already exists. Skipping." else # User not found so let's create them. - echo "Create user named $CONTROLLER_USER." + /usr/bin/echo "Create user named $CONTROLLER_USER." /usr/sbin/useradd -s /bin/bash "$CONTROLLER_USER" - echo "$CONTROLLER_USER":"$CONTROLLER_USER" | chpasswd -m - install -m 755 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER" - install -m 700 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER"/.ssh - echo root:"$CONTROLLER_USER" | chpasswd -m - echo "$CONTROLLER_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$CONTROLLER_USER" - chmod 0440 /etc/sudoers.d/"$CONTROLLER_USER" + /usr/bin/echo "$CONTROLLER_USER":"$CONTROLLER_USER" | chpasswd -m + /usr/bin/install -m 755 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER" + /usr/bin/install -m 700 -o "$CONTROLLER_USER" -g "$CONTROLLER_USER" -d /home/"$CONTROLLER_USER"/.ssh + /usr/bin/echo root:"$CONTROLLER_USER" | chpasswd -m + /usr/bin/echo "$CONTROLLER_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$CONTROLLER_USER" + /usr/bin/chmod 0440 /etc/sudoers.d/"$CONTROLLER_USER" fi -echo "-------------------------------------------------" +/usr/bin/echo "-------------------------------------------------" # Install APT packages. -echo "Install required packages." -echo "-------------------------------------------------" +/usr/bin/echo "Install required packages." +/usr/bin/echo "-------------------------------------------------" /usr/bin/apt-get update /usr/bin/apt-get dist-upgrade -y -o Dpkg::Options::="--force-confnew" /usr/bin/apt-get install -y -o Dpkg::Options::="--force-confnew" \ git ca-certificates git-lfs \ openssh-client nfs-common stunnel4 \ python3-venv python3-debian \ - zip unzip gzip tar dnsutils -echo "-------------------------------------------------" + zip unzip gzip tar dnsutils net-tools +/usr/bin/echo "-------------------------------------------------" # Install Ansible in a Python virtual environment. -echo "Install Ansible and dependencies." -echo "-------------------------------------------------" -su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ce-python" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy -p /home/$CONTROLLER_USER/.ansible/collections/ansible_collections collection install ansible.posix --force" +/usr/bin/echo "Install Ansible and dependencies." +/usr/bin/echo "-------------------------------------------------" +/usr/bin/su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ce-python" +/usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" +/usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" +/usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-galaxy collection install ansible.posix -p /home/$CONTROLLER_USER/.ansible/collections/ansible_collections --force" if [ "$AWS_SUPPORT" = "true" ]; then - su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install boto3" + /usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install boto3" fi -echo "-------------------------------------------------" +/usr/bin/echo "-------------------------------------------------" # Install ce-provision. -echo "Install ce-provision." -echo "-------------------------------------------------" +/usr/bin/echo "Install ce-provision." +/usr/bin/echo "-------------------------------------------------" if [ ! -d "/home/$CONTROLLER_USER/ce-provision" ]; then - su - "$CONTROLLER_USER" -c "git clone --branch $VERSION https://github.com/codeenigma/ce-provision.git /home/$CONTROLLER_USER/ce-provision" + /usr/bin/su - "$CONTROLLER_USER" -c "git clone --branch $VERSION https://github.com/codeenigma/ce-provision.git /home/$CONTROLLER_USER/ce-provision" + /usr/bin/su - "$CONTROLLER_USER" -c "git clone --branch $CONFIG_REPO_BRANCH $CONFIG_REPO /home/$CONTROLLER_USER/ce-provision/config" + /usr/bin/su - "$CONTROLLER_USER" -c "/usr/bin/ln -s /home/$CONTROLLER_USER/ce-provision/config/ansible.cfg /home/$CONTROLLER_USER/ce-provision/ansible.cfg" else - echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." - echo "-------------------------------------------------" + /usr/bin/echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." + /usr/bin/echo "-------------------------------------------------" fi +/usr/bin/mkdir -p "/home/$CONTROLLER_USER/ce-provision/galaxy/roles" # Create playbook for ce-provision. -/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL +/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL --- - hosts: "localhost" become: true @@ -162,9 +177,13 @@ fi - name: Install ce-provision. ansible.builtin.import_role: name: debian/ce_provision + - name: Configure controller user. + ansible.builtin.import_role: + name: debian/user_provision EOL # Create vars file. -/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +--- _domain_name: ${SERVER_HOSTNAME} _ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data _ce_provision_username: ${CONTROLLER_USER} @@ -176,7 +195,9 @@ ce_provision: aws_support: ${AWS_SUPPORT} new_user: ${CONTROLLER_USER} username: ${CONTROLLER_USER} - public_key_name: id_rsa.pub + ssh_key_bits: "521" + ssh_key_type: ecdsa + public_key_name: id_ecdsa.pub own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "${VERSION}" own_repository_skip_checkout: false @@ -197,6 +218,22 @@ ce_provision: enabled: true command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force" on_calendar: "Mon *-*-* 04:00:00" +user_provision: + username: "${CONTROLLER_USER}" + home: "/home/${CONTROLLER_USER}" + create: false + create_home: false + update_password: always + utility_username: "${CONTROLLER_USER}" + utility_host: localhost + sudoer: true + groups: + - bypass2fa + ssh_keys: + - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/id_ecdsa.pub') }}" + ssh_private_keys: [] + known_hosts: [] + known_hosts_hash: true firewall_config: purge: true firewall_state: started @@ -216,13 +253,24 @@ firewall_config: - "80" - "443" EOL -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" -rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" + +# Tell Ansible this is a Docker container +if [ "$IS_LOCAL" = "true" ]; then + ANSIBLE_COMMAND="ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" +else + ANSIBLE_COMMAND="ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" +fi +# Configure ce-provision +/usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/$ANSIBLE_COMMAND" +/usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" + +# Install firewall +if [ "$FIREWALL" = "true" ]; then # Create playbook for firewall. -echo "-------------------------------------------------" -echo "Install firewall." -echo "-------------------------------------------------" -/usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL + /usr/bin/echo "-------------------------------------------------" + /usr/bin/echo "Install firewall." + /usr/bin/echo "-------------------------------------------------" + /bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL --- - hosts: "localhost" become: true @@ -233,15 +281,20 @@ echo "-------------------------------------------------" ansible.builtin.import_role: name: debian/firewall_config EOL -su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" -echo "-------------------------------------------------" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + /usr/bin/echo "-------------------------------------------------" +else + /usr/bin/echo "-------------------------------------------------" + /usr/bin/echo "Skipping firewall." + /usr/bin/echo "-------------------------------------------------" +fi # Install GitLab if [ "$GITLAB_URL" != "no" ]; then - echo "Install GitLab." - echo "-------------------------------------------------" + /usr/bin/echo "Install GitLab." + /usr/bin/echo "-------------------------------------------------" # Create playbook. - /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL + /bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL --- - hosts: "localhost" become: true @@ -256,7 +309,9 @@ if [ "$GITLAB_URL" != "no" ]; then name: debian/gitlab EOL # Create vars file. - /usr/bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL + /bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +--- +_domain_name: ${SERVER_HOSTNAME} gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=\${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey @@ -309,47 +364,50 @@ gitlab: custom_nginx_config: "" EOL if [ "$LE_SUPPORT" = "yes" ]; then - echo "Will try to create an SSL certificate with LetsEncrypt." - echo "*** THIS STEP WILL FAIL IF YOUR DNS IS NOT CORRECT! ***" + /usr/bin/echo "Will try to create an SSL certificate with LetsEncrypt." + /usr/bin/echo "*** THIS STEP WILL FAIL IF YOUR DNS IS NOT CORRECT! ***" if [ -n "$(dig +short "$GITLAB_URL".)" ]; then - echo "DNS record found, attempting LetsEncrypt request..." + /usr/bin/echo "DNS record found, attempting LetsEncrypt request..." # Write GitLab vars with LE for SSL - cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + /bin/cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" letsencrypt: "true" ssl: enabled: false EOT - echo "-------------------------------------------------" + /usr/bin/echo "-------------------------------------------------" else - echo "No DNS found for provided URL, will create a self-signed certificate instead." + /usr/bin/echo "No DNS found for provided URL, will create a self-signed certificate instead." # Write GitLab vars with self-signed SSL - cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + /bin/cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" letsencrypt: "false" ssl: enabled: true handling: selfsigned replace_existing: false EOT - echo "-------------------------------------------------" + /usr/bin/echo "-------------------------------------------------" fi else # Write GitLab vars with self-signed SSL - echo "Create a self-signed SSL certificate." - cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" + /usr/bin/echo "Create a self-signed SSL certificate." + /bin/cat <> "/home/$CONTROLLER_USER/ce-provision/vars.yml" letsencrypt: "false" ssl: enabled: true handling: selfsigned replace_existing: false EOT - echo "-------------------------------------------------" + /usr/bin/echo "-------------------------------------------------" fi - su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" - echo "-------------------------------------------------" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + /usr/bin/echo "-------------------------------------------------" else - echo "GitLab not requested. Skipping." - echo "-------------------------------------------------" + /usr/bin/echo "GitLab not requested. Skipping." + /usr/bin/echo "-------------------------------------------------" +fi +# Tidy up if not a container +if [ "$IS_LOCAL" = "false" ]; then + /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/vars.yml" + /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" fi -rm "/home/$CONTROLLER_USER/ce-provision/vars.yml" -rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" -echo "DONE." +/usr/bin/echo "DONE." diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index e6a844f4d..51d676278 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -53,3 +53,4 @@ ansible.builtin.file: path: "{{ _init.lock_file }}" state: absent + when: _init.lock_file | length > 0 diff --git a/roles/_init/README.md b/roles/_init/README.md index 0f40180e3..e619e5656 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -9,7 +9,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -25,8 +28,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 97a5ad1bf..5c2d85d42 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -1,5 +1,8 @@ --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -15,8 +18,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 3207c13f4..ac996f250 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -8,10 +8,13 @@ - name: Check for a ce-deploy lock file. ansible.builtin.stat: path: "{{ _init.deploy_lock_file }}" + when: _init.deploy_lock_file | length > 0 register: _ce_deploy_lock - name: Abort if ce-deploy lock file exists. - when: _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists + when: + - _init.deploy_lock_file | length > 0 + - _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists block: - name: Abort if ce-deploy lock file is found. ansible.builtin.debug: @@ -31,6 +34,7 @@ path: "{{ _init.lock_file }}" state: touch mode: 0644 + when: _init.lock_file | length > 0 # Load Linux services into ansible_facts.services. - name: Populate service facts diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 39ccb984b..f876b55cb 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -79,7 +79,9 @@ dest: "/etc/profile.d/ansible-path.sh" - name: Install systemd timer. - when: ce_ansible.upgrade.enabled + when: + - ce_ansible.upgrade.enabled + - not is_local block: - name: Build systemd timer variables string. ansible.builtin.set_fact: diff --git a/roles/debian/ansible_galaxy/tasks/main.yml b/roles/debian/ansible_galaxy/tasks/main.yml index b267a73fe..106943f1d 100644 --- a/roles/debian/ansible_galaxy/tasks/main.yml +++ b/roles/debian/ansible_galaxy/tasks/main.yml @@ -11,7 +11,8 @@ register: _galaxy_requirements - name: Install ansible-galaxy roles and/or collections. - when: _galaxy_requirements.stat.exists + when: + - _galaxy_requirements.stat.exists block: - name: Set up the ansible-galaxy command. ansible.builtin.set_fact: @@ -32,6 +33,7 @@ when: - ansible_galaxy.upgrade_galaxy.enabled - _galaxy_requirements.stat.exists + - not is_local block: - name: Build timers variable. ansible.builtin.set_fact: diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index df016422b..cef05098e 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -66,6 +66,7 @@ - apt_repository.signed_by is defined - apt_repository.signed_by | length > 0 - apt_repository.signed_by is url # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/url_test.html + - not is_local block: - name: Create script to refresh APT repository key. ansible.builtin.template: diff --git a/roles/debian/aws_efs_client/README.md b/roles/debian/aws_efs_client/README.md index 0711f04d9..5fc392261 100644 --- a/roles/debian/aws_efs_client/README.md +++ b/roles/debian/aws_efs_client/README.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 2.1.0 # version of AWS EFS utils to use + version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default. build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 90aa38931..743cbf8cd 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -8,7 +8,7 @@ Installs Code Enigma's deploy stack on a server. ```yaml --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 2999edae9..b4af9748b 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -1,6 +1,6 @@ --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index c02282fd2..f4b11638b 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -38,6 +38,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/roles/debian/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml index f09d68f18..e2ed2ff05 100644 --- a/roles/debian/gitlab/defaults/main.yml +++ b/roles/debian/gitlab/defaults/main.yml @@ -25,6 +25,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index f98820592..00b55e162 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -87,20 +87,19 @@ src: gitlab-config.rb.j2 dest: /etc/gitlab/gitlab-config.rb -- name: Stop Gitlab. - ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl stop - -- name: Reconfigure Gitlab. - ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl reconfigure - - name: Let Gitlab know it's on Docker. ansible.builtin.copy: content: "gitlab-docker" dest: "/opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE" mode: "0666" - when: - - is_local is defined - - is_local + when: is_local + +- name: Stop Gitlab. + ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl stop + +- name: Reconfigure Gitlab. + ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl reconfigure + when: not is_local - name: Copy startup script in place. ansible.builtin.template: @@ -110,9 +109,7 @@ group: root mode: "0555" force: true - when: - - is_local is defined - - is_local + when: is_local - name: Trigger overrides ansible.builtin.include_role: @@ -125,12 +122,12 @@ - name: Manually restart Gitlab/Docker. ansible.builtin.command: "/bin/sh /opt/gitlab-init.sh" - when: - - is_local is defined - - is_local + when: is_local - name: Ensure GitLab is started. ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl start +# @TODO - this task fails in CI with GitHub Actions because PostGreSQL isn't running - name: Run the GitLab configuration script for config that cannot be set in gitlab.rb. - ansible.builtin.command: "gitlab-rails runner /etc/gitlab/gitlab-config.rb" + ansible.builtin.command: /opt/gitlab/bin/gitlab-rails runner /etc/gitlab/gitlab-config.rb + when: not is_local diff --git a/roles/debian/gitlab/templates/gitlab-config.rb.j2 b/roles/debian/gitlab/templates/gitlab-config.rb.j2 index d3e1690f1..4a0619be9 100644 --- a/roles/debian/gitlab/templates/gitlab-config.rb.j2 +++ b/roles/debian/gitlab/templates/gitlab-config.rb.j2 @@ -1,9 +1,6 @@ # Disable DSA keys ApplicationSetting.last.update(dsa_key_restriction: -1) -# Disable ECDSA keys -ApplicationSetting.last.update(ecdsa_key_restriction: -1) - # Enforce at least 2048 bits for RSA keys ApplicationSetting.last.update(rsa_key_restriction: 2048) @@ -24,4 +21,3 @@ ApplicationSetting.last.update(signup_enabled: false) # Disable standard sign-in dialogue Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: false) {% endif %} - diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 745daadc9..017dd4afc 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -138,7 +138,7 @@ become: true - name: Restart gitlab-runner service. - ansible.builtin.service: + ansible.builtin.systemd_service: name: gitlab-runner state: restarted daemon_reload: true diff --git a/roles/debian/jitsi/tasks/main.yml b/roles/debian/jitsi/tasks/main.yml index ec485f6ba..cef38260b 100644 --- a/roles/debian/jitsi/tasks/main.yml +++ b/roles/debian/jitsi/tasks/main.yml @@ -27,7 +27,7 @@ DefaultTasksMax=65000 - name: Force systemd to reread configs. - ansible.builtin.systemd: + ansible.builtin.systemd_service: daemon_reload: true - name: Write interactive hostname value for automated installation. diff --git a/roles/debian/locales/tasks/main.yml b/roles/debian/locales/tasks/main.yml index 7cdf73af4..e6e8af3bf 100644 --- a/roles/debian/locales/tasks/main.yml +++ b/roles/debian/locales/tasks/main.yml @@ -33,4 +33,4 @@ - name: Set timezone. community.general.timezone: name: "{{ locales.timezone }}" - when: not is_local is defined or not is_local + when: not is_local diff --git a/roles/debian/mysql_server_mariadb/tasks/main.yml b/roles/debian/mysql_server_mariadb/tasks/main.yml index f76d88ca7..f463d95e8 100644 --- a/roles/debian/mysql_server_mariadb/tasks/main.yml +++ b/roles/debian/mysql_server_mariadb/tasks/main.yml @@ -33,12 +33,12 @@ - name: Update MySQL root password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "root"@"%" IDENTIFIED BY "root" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Update MySQL ce-dev password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "ce-dev"@"%" IDENTIFIED BY "ce-dev" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Ensure mysql can write data. ansible.builtin.file: diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index b427af88c..f42b70f5b 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -77,12 +77,12 @@ - name: Update MySQL root password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "root"@"%" IDENTIFIED BY "root" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Update MySQL ce-dev password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "ce-dev"@"%" IDENTIFIED BY "ce-dev" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Ensure MySQL can write data. ansible.builtin.file: diff --git a/roles/debian/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 index fee75d6c5..a4dfa5449 100644 --- a/roles/debian/nginx/templates/drupal10.j2 +++ b/roles/debian/nginx/templates/drupal10.j2 @@ -81,7 +81,7 @@ location ~ ^/(index|cron|modules\/statistics\/statistics|core\/modules\/statisti try_files @phpprocess @phpprocess; } # Allow install/update for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(install|update)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 index 770203509..3e406dd6d 100644 --- a/roles/debian/nginx/templates/drupal_common.j2 +++ b/roles/debian/nginx/templates/drupal_common.j2 @@ -72,7 +72,7 @@ location ~ ^/(index|cron|modules\/statistics\/statistics|core\/modules\/statisti try_files @phpprocess @phpprocess; } # Allow install/update for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(install|update)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/nginx/templates/mautic.j2 b/roles/debian/nginx/templates/mautic.j2 index 92845e808..76de23a5c 100644 --- a/roles/debian/nginx/templates/mautic.j2 +++ b/roles/debian/nginx/templates/mautic.j2 @@ -60,7 +60,7 @@ location ~ /(addons|plugins)/.*/Assets/ { } # Allow index_dev/upgrade for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(index_dev|upgrade)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index 063e97276..443ffbf87 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" + max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php_blackfire/defaults/main.yml b/roles/debian/php_blackfire/defaults/main.yml index 323e94a55..0e0e5c8a9 100644 --- a/roles/debian/php_blackfire/defaults/main.yml +++ b/roles/debian/php_blackfire/defaults/main.yml @@ -6,3 +6,5 @@ blackfire: agent_server_token: "" agent_client_id: "" agent_client_token: "" + agent_cli_config_path: /home/ce-dev/.blackfire.ini + agent_cli_config_owner: ce-dev diff --git a/roles/debian/php_blackfire/tasks/main.yml b/roles/debian/php_blackfire/tasks/main.yml index d7e513f0f..e093d607c 100644 --- a/roles/debian/php_blackfire/tasks/main.yml +++ b/roles/debian/php_blackfire/tasks/main.yml @@ -67,13 +67,13 @@ - name: Generate agent CLI configuration. ansible.builtin.template: src: blackfire.ini.j2 - dest: "/home/vagrant/.blackfire.ini" - owner: vagrant - group: vagrant + dest: "{{ blackfire.agent_cli_config_path }}" + owner: "{{ blackfire.agent_cli_config_owner }}" + group: "{{ blackfire.agent_cli_config_owner }}" mode: 0644 when: - blackfire.enable - - is_local is defined and is_local + - is_local - name: Trigger overrides ansible.builtin.include_role: diff --git a/roles/debian/postfix/tasks/main.yml b/roles/debian/postfix/tasks/main.yml index 83c7ecec6..94d433c28 100644 --- a/roles/debian/postfix/tasks/main.yml +++ b/roles/debian/postfix/tasks/main.yml @@ -99,7 +99,6 @@ state: directory when: - postfix.ce_dev_delivery_mode == "host" - - is_local is defined - is_local - name: Configure procmail to NULL. @@ -110,9 +109,7 @@ group: root mode: "0644" force: true - when: - - is_local is defined - - is_local + when: is_local - name: Configure procmail to host directory. ansible.builtin.template: @@ -124,7 +121,6 @@ force: true when: - postfix.ce_dev_delivery_mode == "host" - - is_local is defined - is_local - name: Configure procmail to local. @@ -133,7 +129,6 @@ state: absent when: - postfix.ce_dev_delivery_mode == "local" - - is_local is defined - is_local # Needed for Docker. diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 index e79389db4..6addd3c23 100644 --- a/roles/debian/postfix/templates/main.cf.j2 +++ b/roles/debian/postfix/templates/main.cf.j2 @@ -52,7 +52,7 @@ smtpd_tls_key_file = {{ postfix.ssl.smtp_tls_key_file }} smtpd_tls_CApath = {{ postfix.ssl.smtp_tls_CApath }} smtpd_tls_CAfile = {{ postfix.ssl.smtp_tls_CAfile }} {% endif %} -{% if (is_local is defined) and is_local %} +{% if is_local %} # Force all mail to ce-dev user. virtual_alias_domains = "" virtual_alias_maps = static:ce-dev diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index dc22f8164..1d83a8cd7 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -1,5 +1,5 @@ --- -_user_deploy_username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" +_user_deploy_username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" user_deploy: # This sets both username and main group. # If you are using ce-deploy to deploy code this must match the `deploy_user` variable diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index 7d07a8cc2..f10896c32 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -1,5 +1,5 @@ --- -_user_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +_user_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" user_provision: # This sets both username and main group. username: "{{ _user_provision_username }}" From ca98e15f021536486fab34636c34bf9de35f222d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 18 Dec 2024 16:13:42 +0100 Subject: [PATCH 286/331] Update .wikis2pages.yml --- .wikis2pages.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.wikis2pages.yml b/.wikis2pages.yml index 7d33c03cb..f491e7fe0 100644 --- a/.wikis2pages.yml +++ b/.wikis2pages.yml @@ -1,10 +1,10 @@ -ce-provision-1.x: +ce-provision-2.x: src: https://github.com/codeenigma/ce-provision.git - src_branch: 1.x + src_branch: 2.x src_subdir: 'docs' dest: https://github.com/codeenigma/ce-provision-docs.git # remote and token for pushing added in GitHub Actions directly dest_branch: master - dest_subdir: 1.x + dest_subdir: 2.x title: ce-provision type: doc - base_url: https://codeenigma.github.io/ce-provision-docs/1.x + base_url: https://codeenigma.github.io/ce-provision-docs/2.x From 7ee7f1c93595248060366a0321a7157f95c7ef7b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Sat, 21 Dec 2024 13:41:01 +0100 Subject: [PATCH 287/331] Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now --- .../workflows/ce-provision-test-gitlab.yml | 4 +- .../workflows/ce-provision-test-nightly.yml | 43 +++++++++++++++++++ .github/workflows/ce-provision-test-web.yml | 4 +- install.sh | 4 +- 4 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/ce-provision-test-nightly.yml diff --git a/.github/workflows/ce-provision-test-gitlab.yml b/.github/workflows/ce-provision-test-gitlab.yml index bd50e7233..9e5b46a30 100644 --- a/.github/workflows/ce-provision-test-gitlab.yml +++ b/.github/workflows/ce-provision-test-gitlab.yml @@ -1,9 +1,7 @@ name: Run GitLab server test build -# Run this workflow nightly and every time a new commit pushed to your repository +# Run this workflow every time a new commit is pushed to your repository on: - schedule: - - cron: '30 4 * * *' pull_request: jobs: diff --git a/.github/workflows/ce-provision-test-nightly.yml b/.github/workflows/ce-provision-test-nightly.yml new file mode 100644 index 000000000..a10fdd67a --- /dev/null +++ b/.github/workflows/ce-provision-test-nightly.yml @@ -0,0 +1,43 @@ +name: Run night test builds + +# Run this workflow nightly +on: + schedule: + - cron: '30 4 * * *' + +jobs: + # Set the job key. The key is displayed as the job name + # when a job name is not provided + test-nightly: + # Name the Job + name: Build server with ce-provision + # Set the type of machine to run on + runs-on: ubuntu-latest + + # Use our ce-dev Debian base container + container: + image: codeenigma/ce-dev:2.x + volumes: + - ${{ github.workspace }}:/home/controller + + steps: + - name: Install ce-provision + run: | + /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/2.x/install.sh + /usr/bin/chmod +x ./install.sh + /usr/bin/sudo ./install.sh --docker --no-firewall + + # Run a web server provision + - name: Prepare Git repos on disk + run: | + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config + + - name: Start SSHD + run: /usr/sbin/sshd& + + - name: Provision a test web server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/web/ci.yml --own-branch 2.x --config-branch 2.x --force" + + - name: Provision a test GitLab server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/gitlab/ci.yml --own-branch 2.x --config-branch 2.x --force" diff --git a/.github/workflows/ce-provision-test-web.yml b/.github/workflows/ce-provision-test-web.yml index 54421cd40..595905064 100644 --- a/.github/workflows/ce-provision-test-web.yml +++ b/.github/workflows/ce-provision-test-web.yml @@ -1,9 +1,7 @@ name: Run web server test build -# Run this workflow nightly and every time a new commit pushed to your repository +# Run this every time a new commit is pushed to your repository on: - schedule: - - cron: '30 4 * * *' pull_request: jobs: diff --git a/install.sh b/install.sh index 7ca8822d0..53db4ce5d 100755 --- a/install.sh +++ b/install.sh @@ -14,7 +14,7 @@ usage(){ /usr/bin/echo '--version: ce-provision version to use (default: 2.x)' /usr/bin/echo '--user: Ansible controller user (default: controller)' /usr/bin/echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' - /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' + /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 2.x)' /usr/bin/echo '--no-firewall: skip installing iptables with ports 22, 80 and 443 open' /usr/bin/echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' /usr/bin/echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' @@ -72,7 +72,7 @@ parse_options(){ VERSION="2.x" CONTROLLER_USER="controller" CONFIG_REPO="https://github.com/codeenigma/ce-provision-config-example.git" -CONFIG_REPO_BRANCH="1.x" +CONFIG_REPO_BRANCH="2.x" GITLAB_URL="no" LE_SUPPORT="no" FIREWALL="true" From 237a59aef98572643bccf87e9d5db40ac9c9ec5c Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Mon, 23 Dec 2024 06:32:47 +0100 Subject: [PATCH 288/331] Updating-wazuh-template (#2154) --- ...c-rules-local_rules.xml => var-ossec-rules-local_rules.xml.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/debian/wazuh/templates/{var-ossec-rules-local_rules.xml => var-ossec-rules-local_rules.xml.j2} (100%) diff --git a/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml b/roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml.j2 similarity index 100% rename from roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml rename to roles/debian/wazuh/templates/var-ossec-rules-local_rules.xml.j2 From f41c49680ab8c79e5f6f74736d837d3d5172d643 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 31 Dec 2024 10:04:19 +0100 Subject: [PATCH 289/331] Updating le template (#2156) * Updating-le-template * Updating-le-template --- roles/debian/ssl/templates/le_cron.sh.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/debian/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2 index 14501b22c..70e6e9699 100644 --- a/roles/debian/ssl/templates/le_cron.sh.j2 +++ b/roles/debian/ssl/templates/le_cron.sh.j2 @@ -37,7 +37,8 @@ if [ $certbot_exit_code -ne 0 ]; then # Certbot failed, send email notification recipient="{{ ssl.email }}" subject="Certbot Renewal Failed" - body="Certbot renewal failed with the following output: + hostname=$(cat /etc/hostname) + body="Certbot renewal failed on server $hostname with the following output: $certbot_output" send_email_notification "$recipient" "$subject" "$body" From 123bced0d4e5fe1f559edf1f54444cfa60242a4c Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 2 Jan 2025 10:43:58 +0100 Subject: [PATCH 290/331] Reworking-nodejs-for-older-versions (#2157) --- roles/debian/nodejs/defaults/main.yml | 14 ++++++++++++-- roles/debian/nodejs/tasks/main.yml | 13 +++++++++---- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index 7e2324abf..12b91f8b5 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -1,8 +1,18 @@ --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo - apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key + apt_origin_nodejs: >- + {{ + "origin=. nodistro,codename=nodistro,label=. nodistro" + if nodejs.version != "10.x" + else "origin=Node Source,codename=${distro_codename},label=Node Source" + }} + apt_signed_by_nodejs: >- + {{ + "https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key" + if nodejs.version != "10.x" + else "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" + }} apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 3128b7bb8..0c77dd5ee 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -4,15 +4,20 @@ name: debian/apt_repository vars: apt_repository: - legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} nodistro main" + legacy_repo: >- + deb https://deb.nodesource.com/node_{{ nodejs.version }} + {{ "nodistro" if nodejs.version != "10.x" else ansible_distribution_release }} main format: deb822 name: nodejs - types: - - deb + types: >- + [ + "deb", + {{ "'deb-src'" if nodejs.version == "10.x" else "" | trim }} + ] uris: - "https://deb.nodesource.com/node_{{ nodejs.version }}" signed_by: "{{ nodejs.apt_signed_by_nodejs }}" - suites: "nodistro" + suites: "{{ 'nodistro' if nodejs.version != '10.x' else ansible_distribution_release }}" components: - main state: present From 984c5020b17addb8964bfb8ca88bcbfb7071dfd2 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 3 Jan 2025 10:25:39 +0100 Subject: [PATCH 291/331] Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions --- roles/debian/nodejs/defaults/main.yml | 14 ++------------ roles/debian/nodejs/tasks/main.yml | 14 +++++--------- 2 files changed, 7 insertions(+), 21 deletions(-) diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index 12b91f8b5..746defdbc 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -1,18 +1,8 @@ --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: >- - {{ - "origin=. nodistro,codename=nodistro,label=. nodistro" - if nodejs.version != "10.x" - else "origin=Node Source,codename=${distro_codename},label=Node Source" - }} - apt_signed_by_nodejs: >- - {{ - "https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key" - if nodejs.version != "10.x" - else "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" - }} + apt_origin_nodejs: "{% if nodejs.version != '10.x' %}origin=. nodistro,codename=nodistro,label=. nodistro{% else %}origin=Node Source,codename=${distro_codename},label=Node Source{% endif %}" + apt_signed_by_nodejs: "{% if nodejs.version != '10.x' %}https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key{% else %}https://deb.nodesource.com/gpgkey/nodesource.gpg.key{% endif %}" apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 0c77dd5ee..4e9b65e36 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -4,20 +4,16 @@ name: debian/apt_repository vars: apt_repository: - legacy_repo: >- - deb https://deb.nodesource.com/node_{{ nodejs.version }} - {{ "nodistro" if nodejs.version != "10.x" else ansible_distribution_release }} main + legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {% if nodejs.version != '10.x' %}nodistro{% else %}{{ ansible_distribution_release }}{% endif %} main" format: deb822 name: nodejs - types: >- - [ - "deb", - {{ "'deb-src'" if nodejs.version == "10.x" else "" | trim }} - ] + types: + - deb + "{{ nodejs.version == '10.x' | ternary('- deb-src', '') }}" uris: - "https://deb.nodesource.com/node_{{ nodejs.version }}" signed_by: "{{ nodejs.apt_signed_by_nodejs }}" - suites: "{{ 'nodistro' if nodejs.version != '10.x' else ansible_distribution_release }}" + suites: "{% if nodejs.version != '10.x' %}nodistro{% else %}{{ ansible_distribution_release }}{% endif %}" components: - main state: present From d7f2a1b9694028c0d31d171010e0a9c59a3405cb Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 3 Jan 2025 10:46:57 +0100 Subject: [PATCH 292/331] Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs --- roles/debian/nodejs/tasks/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 4e9b65e36..494051432 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -7,9 +7,7 @@ legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {% if nodejs.version != '10.x' %}nodistro{% else %}{{ ansible_distribution_release }}{% endif %} main" format: deb822 name: nodejs - types: - - deb - "{{ nodejs.version == '10.x' | ternary('- deb-src', '') }}" + types: "{% if nodejs.version == '10.x' %}deb deb-src{% else %}deb{% endif %}" uris: - "https://deb.nodesource.com/node_{{ nodejs.version }}" signed_by: "{{ nodejs.apt_signed_by_nodejs }}" From 9c15d0e60872f84f85d9f1c0a5a0bd07115d24e1 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Fri, 3 Jan 2025 11:07:47 +0100 Subject: [PATCH 293/331] Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node --- roles/debian/nodejs/defaults/main.yml | 4 ++-- roles/debian/nodejs/tasks/main.yml | 15 ++++++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index 746defdbc..0ae6c011c 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -1,8 +1,8 @@ --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "{% if nodejs.version != '10.x' %}origin=. nodistro,codename=nodistro,label=. nodistro{% else %}origin=Node Source,codename=${distro_codename},label=Node Source{% endif %}" - apt_signed_by_nodejs: "{% if nodejs.version != '10.x' %}https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key{% else %}https://deb.nodesource.com/gpgkey/nodesource.gpg.key{% endif %}" + apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 494051432..0806e47f5 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -4,20 +4,29 @@ name: debian/apt_repository vars: apt_repository: - legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} {% if nodejs.version != '10.x' %}nodistro{% else %}{{ ansible_distribution_release }}{% endif %} main" + legacy_repo: "deb https://deb.nodesource.com/node_{{ nodejs.version }} nodistro main" format: deb822 name: nodejs - types: "{% if nodejs.version == '10.x' %}deb deb-src{% else %}deb{% endif %}" + types: + - deb uris: - "https://deb.nodesource.com/node_{{ nodejs.version }}" signed_by: "{{ nodejs.apt_signed_by_nodejs }}" - suites: "{% if nodejs.version != '10.x' %}nodistro{% else %}{{ ansible_distribution_release }}{% endif %}" + suites: "nodistro" components: - main state: present enabled: true key_refresh_timer_OnCalendar: "Mon *-*-* 00:15:00" +- name: Modify repository for Node.js 10.x + set_fact: + apt_repository: + types: "deb deb-src" + suites: "{{ ansible_distribution_release }}" + signed_by: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" + when: nodejs.version == "10.x" + - name: Add Yarn repository and key. ansible.builtin.include_role: name: debian/apt_repository From 3cab7e3ace48e91c92bff1b9730193509c18bb38 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 6 Jan 2025 16:23:18 +0100 Subject: [PATCH 294/331] Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. --- .../workflows/ce-provision-publish-docs.yml | 85 +++++++++---------- ce-dev/ce-dev.compose.yml | 1 - 2 files changed, 41 insertions(+), 45 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 2ba8cbc66..e3ef2ca95 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -1,60 +1,57 @@ -name: Build docs +name: Publish docs -# Run this workflow when a PR to 1.x gets merged +# Run this workflow on demand and every time a new commit pushed to your repository on: pull_request: - types: [closed] - branches: - - 1.x + workflow_dispatch: jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided - build-docs: + public-docs: + if: ${{ github.event.pull_request.head.ref != 'documentation' }} # Name the Job - name: Build the documentation + name: Publish the ce-provision docs to GitHub # Set the type of machine to run on - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest + + # Use our ce-dev Debian base container + container: + image: codeenigma/ce-dev-controller:2.x + volumes: + - ${{ github.workspace }}:/home/controller steps: - # Checks out a copy of your repository on the ubuntu-latest machine - - name: Checkout code - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - # Configures global Git variables for committing - - name: Configure Git + - name: Install wiki2pages + run: /usr/bin/su - ce-dev -c "/usr/bin/git clone https://github.com/codeenigma/wikis2pages.git /home/ce-dev/build/wiki2pages" + + - name: Set up Ansible hosts file + run: | + mkdir -p /home/ce-dev/ansible/bin/hosts + echo "wikis2pages-hugo ansible_host=127.0.0.1" > /home/ce-dev/ansible/bin/hosts/hosts + + - name: Set up SSH config run: | - git config --global user.email "sysadm@codeenigma.com" - git config --global user.name "Code Enigma CI" - git config --global pull.rebase false + echo "StrictHostKeyChecking=no" > /home/ce-dev/.ssh/config + cat /home/ce-dev/.ssh/id_rsa.pub > /home/ce-dev/.ssh/authorized_keys + chown ce-dev:ce-dev /home/ce-dev/.ssh/config + chmod 700 /home/ce-dev/.ssh/config + chown ce-dev:ce-dev /home/ce-dev/.ssh/authorized_keys + chmod 700 /home/ce-dev/.ssh/authorized_keys + + - name: Start SSHD + run: /usr/sbin/sshd& - # Installs the ce-dev stack - - name: Install ce-dev + - name: Initialise wiki2pages for ce-provision 2.x run: | - cd /tmp - wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz - sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz - export PATH=$PATH:/usr/local/go/bin - git clone https://github.com/FiloSottile/mkcert && cd mkcert - go build -ldflags "-X main.Version=$(git describe --tags)" - sudo mv ./mkcert /usr/local/bin && cd ../ - sudo chmod +x /usr/local/bin/mkcert - rm -Rf mkcert - curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/1.x/install.sh | /bin/sh -s -- linux - - # Uses the ce-dev stack to run Hugo to format and deploy the docs + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh init.sh --repo https://github.com/codeenigma/ce-provision.git --branch 2.x --no-ce-dev" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/provision.yml" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh set-current.sh --project ce-provision-2.x --no-ce-dev" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/deploy.yml" + ls -la /home/ce-dev/build/wiki2pages/public/ce-provision-2.x/ + - name: Publish documentation run: | - cd - git clone https://github.com/codeenigma/wikis2pages.git - cd wikis2pages - /bin/bash init.sh https://${{ secrets.GITHUB_TOKEN }}@github.com/codeenigma/ce-provision.git 1.x - /bin/sh set-current.sh ce-provision-1.x - docker exec --user ce-dev --workdir /home/ce-dev/deploy/live.local wikis2pages-hugo hugo - /bin/sh .github-actions-push.sh - cd /home/runner/wikis2pages/public/ce-provision-1.x - git remote add ci https://${{ secrets.DOCS_GITHUB_TOKEN }}@github.com/codeenigma/ce-provision-docs.git - git push ci master - shell: bash + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh /home/ce-dev/build/wiki2pages/.github-actions-push.sh" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-2.x && /usr/bin/git remote add ci https://${{ secrets.DOCS_GITHUB_TOKEN }}@github.com/codeenigma/ce-provision-docs.git" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-2.x && /usr/bin/git push ci master" diff --git a/ce-dev/ce-dev.compose.yml b/ce-dev/ce-dev.compose.yml index f512e6176..c4a4e2188 100644 --- a/ce-dev/ce-dev.compose.yml +++ b/ce-dev/ce-dev.compose.yml @@ -1,4 +1,3 @@ -version: "3.7" x-ce_dev: version: 1.x registry: localhost:5000 From 2a8f9370f1f964cc38208ebbcc8c27c0c71f2a70 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 7 Jan 2025 13:00:31 +0100 Subject: [PATCH 295/331] Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. --- .../workflows/ce-provision-publish-docs.yml | 15 +- docs/_Sidebar.md | 196 +++++++++--------- docs/roles/aws/aws_ec2_autoscale_cluster.md | 2 +- docs/roles/debian/nodejs.md | 2 +- roles/aws/aws_ec2_autoscale_cluster/README.md | 2 +- roles/debian/nodejs/README.md | 2 +- 6 files changed, 115 insertions(+), 104 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index e3ef2ca95..edee7af4d 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -3,13 +3,15 @@ name: Publish docs # Run this workflow on demand and every time a new commit pushed to your repository on: pull_request: +# branches: +# - 1.x +# - 2.x workflow_dispatch: jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided public-docs: - if: ${{ github.event.pull_request.head.ref != 'documentation' }} # Name the Job name: Publish the ce-provision docs to GitHub # Set the type of machine to run on @@ -25,6 +27,11 @@ jobs: - name: Install wiki2pages run: /usr/bin/su - ce-dev -c "/usr/bin/git clone https://github.com/codeenigma/wikis2pages.git /home/ce-dev/build/wiki2pages" + - name: Update local applications + run: | + /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-provision && /usr/bin/git pull origin 2.x" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-deploy && /usr/bin/git pull origin 1.x" + - name: Set up Ansible hosts file run: | mkdir -p /home/ce-dev/ansible/bin/hosts @@ -47,7 +54,11 @@ jobs: /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh init.sh --repo https://github.com/codeenigma/ce-provision.git --branch 2.x --no-ce-dev" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/provision.yml" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh set-current.sh --project ce-provision-2.x --no-ce-dev" - /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/deploy.yml" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages launch_hugo_server=false' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/deploy.yml" + + - name: Run Hugo + run: | + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && hugo" ls -la /home/ce-dev/build/wiki2pages/public/ce-provision-2.x/ - name: Publish documentation diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 3522de3bc..8e8a2e4bf 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -3,101 +3,101 @@ - [Install](/install) - [Usage](/scripts) - [Roles](roles) - - [AWS Infrastructure](/roles/aws) - - [AWS ACL](/roles/aws/aws_acl) - - [AWS Certificate Manager](/roles/aws/aws_acm) - - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup) - - [AWS AMI](/roles/aws/aws_ami) - - [AWS Backup](/roles/aws/aws_backup) - - [AWS Backup Validation](/roles/aws/aws_backup_validation) - - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) - - [Cloudwatch log group](/roles/aws/aws_cloudwatch_log_group) - - [Amazon credentials](/roles/aws/aws_credentials) - - [Autoscale cluster](/roles/aws/aws_ec2_autoscale_cluster) - - [EC2 CloudWatch Metric Alarm](/roles/aws/aws_ec2_metric_alarm) - - [EC2 instance with EIP](/roles/aws/aws_ec2_with_eip) - - [AWS EFS](/roles/aws/aws_efs) - - [AWS ElastiCache](/roles/aws/aws_elasticache) - - [AWS IAM EC2](/roles/aws/aws_iam_role) - - [AWS IAM SAML](/roles/aws/aws_iam_saml) - - [AWS Network Info](/roles/aws/_aws_network_info) - - [AWS OpenSearch](/roles/aws/aws_opensearch) - - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) - - [AWS RDS](/roles/aws/aws_rds) - - [AWS Resource Group.](/roles/aws/aws_resource_group) - - [AWS S3 Bucket](/roles/aws/aws_s3_bucket) - - [AWS Security Groups](/roles/aws/aws_security_groups) - - [AWS SG/firewall role](/roles/aws/aws_sg_iptables) - - [AWS SNS](/roles/aws/aws_sns) - - [VPC](/roles/aws/aws_vpc) - - [Update main route for a given VPC](/roles/aws/aws_vpc_route) - - [VPC](/roles/aws/aws_vpc_subnet) - - [Contributed roles](/roles/contrib) - - [Debian Packages](/roles/debian) - - [Ansible Galaxy](/roles/debian/ansible_galaxy) - - [Ansible](/roles/debian/ansible) - - [APACHE](/roles/debian/apache) - - [Apparmor](/roles/debian/apparmor) - - [Extra packages](/roles/debian/apt_extra_packages) - - [APT Repository](/roles/debian/apt_repository) - - [APT Unattended Upgrades](/roles/debian/apt_unattended_upgrades) - - [AWS CLI](/roles/debian/aws_cli) - - [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent) - - [EFS client](/roles/debian/aws_efs_client) - - [AWS SSM agent](/roles/debian/aws_ssm_agent) - - [ce-deploy](/roles/debian/ce_deploy) - - [Extra packages](/roles/debian/ce_dev) - - [Automated patching](/roles/debian/ce_patcher) - - [ce-provision](/roles/debian/ce_provision) - - [ClamAV](/roles/debian/clamav) - - [Docker CE](/roles/debian/docker_ce) - - [Docker Registry](/roles/debian/docker_registry) - - [Duplicity](/roles/debian/duplicity) - - [Firewall Config](/roles/debian/firewall_config) - - [Frontail](/roles/debian/frontail) - - [Gitlab](/roles/debian/gitlab) - - [Gitlab Runner](/roles/debian/gitlab_runner) - - [GPG Key](/roles/debian/gpg_key) - - [HA Proxy](/roles/debian/haproxy) - - [Managed /etc/hosts](/roles/debian/hosts) - - [Jenkins](/roles/debian/jenkins) - - [Jitsi](/roles/debian/jitsi) - - [LDAP Server](/roles/debian/ldap_server) - - [LHCI](/roles/debian/lhci) - - [Mailpit](/roles/debian/mailpit) - - [Mount sync](/roles/debian/mount_sync) - - [MariaDB Client](/roles/debian/mysql_client) - - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce) - - [NGINX](/roles/debian/nginx) - - [NodeJS](/roles/debian/nodejs) - - [OpenVPN](/roles/debian/openvpn) - - [Packer](/roles/debian/packer) - - [PAM LinOTP](/roles/debian/pam_linotp) - - [PHP terminal client](/roles/debian/php-cli) - - [PHP common components](/roles/debian/php-common) - - [PHP Composer](/roles/debian/php_composer) - - [PHP-FPM](/roles/debian/php-fpm) - - [phpMyAdmin](/roles/debian/phpmyadmin) - - [PHP XDebug](/roles/debian/php_xdebug) - - [Postfix](/roles/debian/postfix) - - [Process Manager](/roles/debian/process_manager) - - [Python Boto](/roles/debian/python_boto) - - [Python Common](/roles/debian/python_common) - - [Python Pip Packages](/roles/debian/python_pip_packages) - - [rkhunter](/roles/debian/rkhunter) - - [Rsyslog](/roles/debian/rsyslog) - - [solr](/roles/debian/solr) - - [SSHD](/roles/debian/ssh_server) - - [SSL](/roles/debian/ssl) - - [sudo config](/roles/debian/sudo_config) - - [Swap](/roles/debian/swap) - - [System](/roles/debian/system) - - [User Ansible](/roles/debian/user_ansible) - - [varnish_config](/roles/debian/varnish_config) - - [wazuh](/roles/debian/wazuh) - - [Init role](/roles/_init) - - ["Meta" roles that group individual roles together.](/roles/_meta) - - [AWS account](/roles/_meta/aws_account) - - [AWS client](/roles/_meta/aws_client_instance) - - [AWS region](/roles/_meta/aws_region) - - [\_overrides.](/roles/_overrides) + - [AWS Infrastructure](roles/aws) + - [AWS ACL](roles/aws/aws_acl) + - [AWS Certificate Manager](roles/aws/aws_acm) + - [AWS AMI ASG Cleanup](roles/aws/aws_ami_asg_cleanup) + - [AWS AMI](roles/aws/aws_ami) + - [AWS Backup](roles/aws/aws_backup) + - [AWS Backup Validation](roles/aws/aws_backup_validation) + - [AWS CloudFront distribution](roles/aws/aws_cloudfront_distribution) + - [Cloudwatch log group](roles/aws/aws_cloudwatch_log_group) + - [Amazon credentials](roles/aws/aws_credentials) + - [Autoscale cluster](roles/aws/aws_ec2_autoscale_cluster) + - [EC2 CloudWatch Metric Alarm](roles/aws/aws_ec2_metric_alarm) + - [EC2 instance with EIP](roles/aws/aws_ec2_with_eip) + - [AWS EFS](roles/aws/aws_efs) + - [AWS ElastiCache](roles/aws/aws_elasticache) + - [AWS IAM EC2](roles/aws/aws_iam_role) + - [AWS IAM SAML](roles/aws/aws_iam_saml) + - [AWS Network Info](roles/aws/_aws_network_info) + - [AWS OpenSearch](roles/aws/aws_opensearch) + - [AWS key pair.](roles/aws/aws_provision_ec2_keypair) + - [AWS RDS](roles/aws/aws_rds) + - [AWS Resource Group.](roles/aws/aws_resource_group) + - [AWS S3 Bucket](roles/aws/aws_s3_bucket) + - [AWS Security Groups](roles/aws/aws_security_groups) + - [AWS SG/firewall role](roles/aws/aws_sg_iptables) + - [AWS SNS](roles/aws/aws_sns) + - [VPC](roles/aws/aws_vpc) + - [Update main route for a given VPC](roles/aws/aws_vpc_route) + - [VPC](roles/aws/aws_vpc_subnet) + - [Contributed roles](roles/contrib) + - [Debian Packages](roles/debian) + - [Ansible Galaxy](roles/debian/ansible_galaxy) + - [Ansible](roles/debian/ansible) + - [APACHE](roles/debian/apache) + - [Apparmor](roles/debian/apparmor) + - [Extra packages](roles/debian/apt_extra_packages) + - [APT Repository](roles/debian/apt_repository) + - [APT Unattended Upgrades](roles/debian/apt_unattended_upgrades) + - [AWS CLI](roles/debian/aws_cli) + - [AWS Cloudwatch agent](roles/debian/aws_cloudwatch_agent) + - [EFS client](roles/debian/aws_efs_client) + - [AWS SSM agent](roles/debian/aws_ssm_agent) + - [ce-deploy](roles/debian/ce_deploy) + - [Extra packages](roles/debian/ce_dev) + - [Automated patching](roles/debian/ce_patcher) + - [ce-provision](roles/debian/ce_provision) + - [ClamAV](roles/debian/clamav) + - [Docker CE](roles/debian/docker_ce) + - [Docker Registry](roles/debian/docker_registry) + - [Duplicity](roles/debian/duplicity) + - [Firewall Config](roles/debian/firewall_config) + - [Frontail](roles/debian/frontail) + - [Gitlab](roles/debian/gitlab) + - [Gitlab Runner](roles/debian/gitlab_runner) + - [GPG Key](roles/debian/gpg_key) + - [HA Proxy](roles/debian/haproxy) + - [Managed /etc/hosts](roles/debian/hosts) + - [Jenkins](roles/debian/jenkins) + - [Jitsi](roles/debian/jitsi) + - [LDAP Server](roles/debian/ldap_server) + - [LHCI](roles/debian/lhci) + - [Mailpit](roles/debian/mailpit) + - [Mount sync](roles/debian/mount_sync) + - [MariaDB Client](roles/debian/mysql_client) + - [MySQL Server - Oracle Community Edition](roles/debian/mysql_server_oracle_ce) + - [NGINX](roles/debian/nginx) + - [NodeJS](roles/debian/nodejs) + - [OpenVPN](roles/debian/openvpn) + - [Packer](roles/debian/packer) + - [PAM LinOTP](roles/debian/pam_linotp) + - [PHP terminal client](roles/debian/php-cli) + - [PHP common components](roles/debian/php-common) + - [PHP Composer](roles/debian/php_composer) + - [PHP-FPM](roles/debian/php-fpm) + - [phpMyAdmin](roles/debian/phpmyadmin) + - [PHP XDebug](roles/debian/php_xdebug) + - [Postfix](roles/debian/postfix) + - [Process Manager](roles/debian/process_manager) + - [Python Boto](roles/debian/python_boto) + - [Python Common](roles/debian/python_common) + - [Python Pip Packages](roles/debian/python_pip_packages) + - [rkhunter](roles/debian/rkhunter) + - [Rsyslog](roles/debian/rsyslog) + - [solr](roles/debian/solr) + - [SSHD](roles/debian/ssh_server) + - [SSL](roles/debian/ssl) + - [sudo config](roles/debian/sudo_config) + - [Swap](roles/debian/swap) + - [System](roles/debian/system) + - [User Ansible](roles/debian/user_ansible) + - [varnish_config](roles/debian/varnish_config) + - [wazuh](roles/debian/wazuh) + - [Init role](roles/_init) + - ["Meta" roles that group individual roles together.](roles/_meta) + - [AWS account](roles/_meta/aws_account) + - [AWS client](roles/_meta/aws_client_instance) + - [AWS region](roles/_meta/aws_region) + - [\_overrides.](roles/_overrides) diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index a9b957ac3..1a030e1e5 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -4,7 +4,7 @@ Supports either AWS EC2 Autoscaling Groups (ASGs) or AWS ECS clusters. Note, thi * https://github.com/codeenigma/ce-deploy/tree/1.x/roles/deploy_code (EC2) Note also that the `deploy_code` role needs to be used in tandem with this `ce-provision` role, which ensures there is a `cloud-init` script in place to install the code in the event of an instance replacement: -* https://github.com/codeenigma/ce-provision/tree/1.x/roles/mount_sync +* https://github.com/codeenigma/ce-provision/tree/2.x/roles/debian/mount_sync ## Networking Regardless of the scenario, ECS or EC2, if you decide to use a private subnet instead of giving your instances or containers public IP addresses, you will need at least one NAT gateway (more than one for resilience). When you are creating NAT gateways they must be in a *public* subnet and your routing tables in the private subnets should use the NAT gateway as the default route. Do not put the NAT gateways on the private subnets, it cannot possibly work and your containers or instances will not have internet access. diff --git a/docs/roles/debian/nodejs.md b/docs/roles/debian/nodejs.md index c121efb58..0e4624ee1 100644 --- a/docs/roles/debian/nodejs.md +++ b/docs/roles/debian/nodejs.md @@ -8,7 +8,7 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo + apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index a9b957ac3..1a030e1e5 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -4,7 +4,7 @@ Supports either AWS EC2 Autoscaling Groups (ASGs) or AWS ECS clusters. Note, thi * https://github.com/codeenigma/ce-deploy/tree/1.x/roles/deploy_code (EC2) Note also that the `deploy_code` role needs to be used in tandem with this `ce-provision` role, which ensures there is a `cloud-init` script in place to install the code in the event of an instance replacement: -* https://github.com/codeenigma/ce-provision/tree/1.x/roles/mount_sync +* https://github.com/codeenigma/ce-provision/tree/2.x/roles/debian/mount_sync ## Networking Regardless of the scenario, ECS or EC2, if you decide to use a private subnet instead of giving your instances or containers public IP addresses, you will need at least one NAT gateway (more than one for resilience). When you are creating NAT gateways they must be in a *public* subnet and your routing tables in the private subnets should use the NAT gateway as the default route. Do not put the NAT gateways on the private subnets, it cannot possibly work and your containers or instances will not have internet access. diff --git a/roles/debian/nodejs/README.md b/roles/debian/nodejs/README.md index c121efb58..0e4624ee1 100644 --- a/roles/debian/nodejs/README.md +++ b/roles/debian/nodejs/README.md @@ -8,7 +8,7 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo + apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg From 1130f7a54c2e6e4fc9ddbfecdb0a807b087a24e5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 7 Jan 2025 14:05:03 +0100 Subject: [PATCH 296/331] Publish docs pr 2.x (#2168) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- contribute/toc.sh | 4 ++-- docs/_Sidebar.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/contribute/toc.sh b/contribute/toc.sh index face006c9..8dc9a1c8f 100755 --- a/contribute/toc.sh +++ b/contribute/toc.sh @@ -114,7 +114,7 @@ parse_roles_toc(){ "# "*) if [ "$WRITE" = "true" ]; then TITLE=$(echo "$LINE" | cut -c 3-) - echo "$INDENT"" - [$TITLE](/$RELATIVE)" >> "$TMP_SIDEBAR" + echo "$INDENT"" - [$TITLE]($RELATIVE)" >> "$TMP_SIDEBAR" WRITE="false" fi ;; @@ -137,4 +137,4 @@ generate_roles_toc cp_single_page install cp_single_page contribute -cp_single_page scripts \ No newline at end of file +cp_single_page scripts diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 8e8a2e4bf..db7194657 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -1,7 +1,7 @@   -- [Home](/) - - [Install](/install) - - [Usage](/scripts) +- [Home]() + - [Install](install) + - [Usage](scripts) - [Roles](roles) - [AWS Infrastructure](roles/aws) - [AWS ACL](roles/aws/aws_acl) From ff7c0aca9a586f1e82c80284019fd9aff7e73aef Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 7 Jan 2025 16:57:54 +0100 Subject: [PATCH 297/331] Publish docs pr 2.x (#2171) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index edee7af4d..9e3caa4c4 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -1,11 +1,12 @@ name: Publish docs -# Run this workflow on demand and every time a new commit pushed to your repository +# Run this workflow on demand or every time a PR is accepted to a main branch on: pull_request: -# branches: -# - 1.x -# - 2.x + types: [closed] + branches: + - 1.x + - 2.x workflow_dispatch: jobs: @@ -49,20 +50,20 @@ jobs: - name: Start SSHD run: /usr/sbin/sshd& - - name: Initialise wiki2pages for ce-provision 2.x + - name: Initialise wiki2pages for ce-provision ${{ github.event.pull_request.base.ref }} run: | - /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh init.sh --repo https://github.com/codeenigma/ce-provision.git --branch 2.x --no-ce-dev" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh init.sh --repo https://github.com/codeenigma/ce-provision.git --branch ${{ github.event.pull_request.base.ref }} --no-ce-dev" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/provision.yml" - /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh set-current.sh --project ce-provision-2.x --no-ce-dev" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh set-current.sh --project ce-provision-${{ github.event.pull_request.base.ref }} --no-ce-dev" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages launch_hugo_server=false' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/deploy.yml" - name: Run Hugo run: | /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && hugo" - ls -la /home/ce-dev/build/wiki2pages/public/ce-provision-2.x/ + ls -la /home/ce-dev/build/wiki2pages/public/ce-provision-${{ github.event.pull_request.base.ref }}/ - name: Publish documentation run: | /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh /home/ce-dev/build/wiki2pages/.github-actions-push.sh" - /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-2.x && /usr/bin/git remote add ci https://${{ secrets.DOCS_GITHUB_TOKEN }}@github.com/codeenigma/ce-provision-docs.git" - /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-2.x && /usr/bin/git push ci master" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-${{ github.event.pull_request.base.ref }} && /usr/bin/git remote add ci https://${{ secrets.DOCS_GITHUB_TOKEN }}@github.com/codeenigma/ce-provision-docs.git" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/public/ce-provision-${{ github.event.pull_request.base.ref }} && /usr/bin/git push ci master" From 7415e4c55685065567118dc284565829eb7b4e53 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 11:34:17 +0100 Subject: [PATCH 298/331] Publish docs pr 2.x (#2174) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 23 +++ contribute/toc.sh | 2 +- contribute/toc_hugo.sh | 140 ++++++++++++++++++ install.sh | 13 +- 4 files changed, 167 insertions(+), 11 deletions(-) create mode 100755 contribute/toc_hugo.sh diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 9e3caa4c4..8984d540f 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -25,6 +25,28 @@ jobs: - ${{ github.workspace }}:/home/controller steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.base.ref }} + + # First build and publish the markdown docs + - name: Build the table of contents + run: /bin/sh contribute/toc.sh + + # Configures global Git variables for committing + - name: Configure Git + run: | + /usr/bin/git config --global user.email "sysadm@codeenigma.com" + /usr/bin/git config --global user.name "Code Enigma CI" + /usr/bin/git config --global pull.rebase false + + - name: Commit new table of contents back to the repo + run: | + /usr/bin/git add docs/. + /usr/bin/git commit -m "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" + /usr/bin/git push + + # Now build and publish the version of the docs - name: Install wiki2pages run: /usr/bin/su - ce-dev -c "/usr/bin/git clone https://github.com/codeenigma/wikis2pages.git /home/ce-dev/build/wiki2pages" @@ -56,6 +78,7 @@ jobs: /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/provision.yml" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /bin/sh set-current.sh --project ce-provision-${{ github.event.pull_request.base.ref }} --no-ce-dev" /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && /home/ce-dev/ansible/bin/ansible-playbook -e 'wiki2pages_build_path=/home/ce-dev/build/wiki2pages launch_hugo_server=false' -i /home/ce-dev/ansible/bin/hosts /home/ce-dev/build/wiki2pages/ce-dev/ansible/deploy.yml" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages/content/ce-provision-${{ github.event.pull_request.base.ref }} && /bin/sh contribute/toc_hugo.sh" - name: Run Hugo run: | diff --git a/contribute/toc.sh b/contribute/toc.sh index 8dc9a1c8f..8c108c60f 100755 --- a/contribute/toc.sh +++ b/contribute/toc.sh @@ -114,7 +114,7 @@ parse_roles_toc(){ "# "*) if [ "$WRITE" = "true" ]; then TITLE=$(echo "$LINE" | cut -c 3-) - echo "$INDENT"" - [$TITLE]($RELATIVE)" >> "$TMP_SIDEBAR" + echo "$INDENT"" - [$TITLE](/$RELATIVE)" >> "$TMP_SIDEBAR" WRITE="false" fi ;; diff --git a/contribute/toc_hugo.sh b/contribute/toc_hugo.sh new file mode 100755 index 000000000..8dc9a1c8f --- /dev/null +++ b/contribute/toc_hugo.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# shellcheck disable=SC2094 +# shellcheck disable=SC2129 +IFS=$(printf '\n\t') +set -e +OWN_DIR=$(dirname "$0") +cd "$OWN_DIR" || exit 1 +OWN_DIR=$(git rev-parse --show-toplevel) +cd "$OWN_DIR" || exit 1 +OWN_DIR=$(pwd -P) + +# @param +# $1 string filepath +cp_role_page(){ + RELATIVE=$(realpath --relative-to="$OWN_DIR" "$(dirname "$1")") + if [ ! -d "$OWN_DIR/docs/$RELATIVE" ]; then + mkdir -p "$OWN_DIR/docs/$RELATIVE" + fi + cp "$1" "$OWN_DIR/docs/$RELATIVE.md" +} + +# @param +# $1 string folder +cp_single_page(){ + if [ ! -d "$OWN_DIR/docs/$1" ]; then + mkdir "$OWN_DIR/docs/$1" + fi + cp "$OWN_DIR/$1/README.md" "$OWN_DIR/docs/$1.md" +} + +# @param +# $1 (string) filename +parse_role_variables(){ + TMP_MD=$(mktemp) + WRITE=1 + # Ensure we have a trailing line. + echo "" >> "$1" + while read -r LINE; do + case $LINE in + '') + echo "$LINE" >> "$TMP_MD" + generate_role_variables "$1" + WRITE=0 + ;; + '') + echo "$LINE" >> "$TMP_MD" + WRITE=1 + ;; + '') + echo "$LINE" >> "$TMP_MD" + WRITE=0 + ;; + '') + echo "$LINE" >> "$TMP_MD" + WRITE=1 + ;; + *) + if [ $WRITE = 1 ]; then + echo "$LINE" >> "$TMP_MD" + fi + ;; + esac + done < "$1" + printf '%s\n' "$(cat "$TMP_MD")" > "$1" + rm "$TMP_MD" +} + +# @param +# $1 (string) filename +generate_role_variables(){ + VAR_FILE="$(dirname "$1")/defaults/main.yml" + if [ -f "$VAR_FILE" ]; then + echo "## Default variables" >> "$TMP_MD" + echo '```yaml' >> "$TMP_MD" + cat "$VAR_FILE" >> "$TMP_MD" + echo "" >> "$TMP_MD" + echo '```' >> "$TMP_MD" + echo "" >> "$TMP_MD" + fi +} + +generate_roles_toc(){ + TMP_SIDEBAR=$(mktemp) + WRITE="true" + while read -r LINE; do + case $LINE in + " - [Roles](roles)") + echo "$LINE" >> "$TMP_SIDEBAR" + parse_roles_toc roles 2 + WRITE="false" + ;; + " -"*) + WRITE="true" + echo "$LINE" >> "$TMP_SIDEBAR" + ;; + *) + if [ "$WRITE" = "true" ]; then + echo "$LINE" >> "$TMP_SIDEBAR" + fi + ;; + esac + done < "$OWN_DIR/docs/_Sidebar.md" + mv "$TMP_SIDEBAR" "$OWN_DIR/docs/_Sidebar.md" +} + +parse_roles_toc(){ + ROLES=$(find "$OWN_DIR/$1" -mindepth 2 -maxdepth 2 -name "README.md" | sort) + for ROLE in $ROLES; do + WRITE="true" + INDENT=$(printf %$(($2 * 2))s) + RELATIVE=$(realpath --relative-to="$OWN_DIR" "$(dirname "$ROLE")") + while read -r LINE; do + case $LINE in + "# "*) + if [ "$WRITE" = "true" ]; then + TITLE=$(echo "$LINE" | cut -c 3-) + echo "$INDENT"" - [$TITLE]($RELATIVE)" >> "$TMP_SIDEBAR" + WRITE="false" + fi + ;; + esac + done < "$ROLE" + parse_roles_toc "$RELATIVE" $(($2 + 1)) + done +} + +rm -rf "$OWN_DIR/docs/roles" +ROLE_PAGES=$(find "$OWN_DIR/roles" -name "README.md") +for ROLE_PAGE in $ROLE_PAGES; do + parse_role_variables "$ROLE_PAGE" +done +for ROLE_PAGE in $ROLE_PAGES; do + cp_role_page "$ROLE_PAGE" +done +generate_roles_toc + + +cp_single_page install +cp_single_page contribute +cp_single_page scripts diff --git a/install.sh b/install.sh index 53db4ce5d..0776988a7 100755 --- a/install.sh +++ b/install.sh @@ -79,7 +79,6 @@ FIREWALL="true" AWS_SUPPORT="false" IS_LOCAL="false" SERVER_HOSTNAME=$(hostname) -ANSIBLE_COMMAND="" # Parse options. parse_options "$@" @@ -254,14 +253,8 @@ firewall_config: - "443" EOL -# Tell Ansible this is a Docker container -if [ "$IS_LOCAL" = "true" ]; then - ANSIBLE_COMMAND="ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" -else - ANSIBLE_COMMAND="ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" -fi # Configure ce-provision -/usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/$ANSIBLE_COMMAND" +/usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" # Install firewall @@ -281,7 +274,7 @@ if [ "$FIREWALL" = "true" ]; then ansible.builtin.import_role: name: debian/firewall_config EOL - /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" /usr/bin/echo "-------------------------------------------------" else /usr/bin/echo "-------------------------------------------------" @@ -399,7 +392,7 @@ EOT EOT /usr/bin/echo "-------------------------------------------------" fi - /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" /usr/bin/echo "-------------------------------------------------" else /usr/bin/echo "GitLab not requested. Skipping." From bfc862b64140a3052df0d4483afc85c5612e9f2e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 11:41:45 +0100 Subject: [PATCH 299/331] Publish docs pr 2.x (#2177) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 8984d540f..c8347f5cd 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -29,16 +29,17 @@ jobs: with: ref: ${{ github.event.pull_request.base.ref }} - # First build and publish the markdown docs - - name: Build the table of contents - run: /bin/sh contribute/toc.sh - # Configures global Git variables for committing - name: Configure Git run: | /usr/bin/git config --global user.email "sysadm@codeenigma.com" /usr/bin/git config --global user.name "Code Enigma CI" /usr/bin/git config --global pull.rebase false + /usr/bin/git config --global --add safe.directory /__w/ce-provision/ce-provision + + # First build and publish the markdown docs + - name: Build the table of contents + run: /bin/sh contribute/toc.sh - name: Commit new table of contents back to the repo run: | From 9a12fccacd6bb71e0f825512147bf2644cee8025 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 11:58:12 +0100 Subject: [PATCH 300/331] Publish docs pr 2.x (#2179) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index c8347f5cd..07f163b34 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -27,7 +27,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ github.event.pull_request.base.ref }} + ref: docs-${{ github.event.pull_request.base.ref }} # Configures global Git variables for committing - name: Configure Git @@ -47,6 +47,17 @@ jobs: /usr/bin/git commit -m "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" /usr/bin/git push + # Create docs pull request + - name: Create a documentation pull request + if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} + uses: repo-sync/pull-request@v3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_branch: docs-${{ github.event.pull_request.base.ref }} + destination_branch: ${{ github.event.pull_request.base.ref }} + pr_title: Documentation update. + pr_body: "**Automated pull request** created by GitHub Actions because of a documentation update." + # Now build and publish the version of the docs - name: Install wiki2pages run: /usr/bin/su - ce-dev -c "/usr/bin/git clone https://github.com/codeenigma/wikis2pages.git /home/ce-dev/build/wiki2pages" From 2a0d997451fdc815eb551e94d7638b2a93396ca6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 12:15:13 +0100 Subject: [PATCH 301/331] Publish docs pr 2.x (#2181) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 07f163b34..ff87bf2e6 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -47,16 +47,15 @@ jobs: /usr/bin/git commit -m "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" /usr/bin/git push + - name: Install GitHub CLI + run: (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) && sudo mkdir -p -m 755 /etc/apt/keyrings && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null && sudo apt update && sudo apt install gh -y + # Create docs pull request - name: Create a documentation pull request if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} - uses: repo-sync/pull-request@v3 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - source_branch: docs-${{ github.event.pull_request.base.ref }} - destination_branch: ${{ github.event.pull_request.base.ref }} - pr_title: Documentation update. - pr_body: "**Automated pull request** created by GitHub Actions because of a documentation update." + run: gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "**Automated pull request** created by GitHub Actions because of a documentation update." + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Now build and publish the version of the docs - name: Install wiki2pages From c55ba2cea914986fe987a0b1415b1b3282d6c1d7 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 12:33:40 +0100 Subject: [PATCH 302/331] Publish docs pr 2.x (#2184) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index ff87bf2e6..a5a307fbf 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -53,7 +53,7 @@ jobs: # Create docs pull request - name: Create a documentation pull request if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} - run: gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "**Automated pull request** created by GitHub Actions because of a documentation update." + run: gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "Documentation update" --body "**Automated pull request** created by GitHub Actions because of a documentation update." env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 63583d36df88ce2a01359260e0f58fd5fb2e5d70 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 12:45:53 +0100 Subject: [PATCH 303/331] Publish docs pr 2.x (#2186) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 34 ++++++------------- 1 file changed, 11 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index a5a307fbf..b95472b1d 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -29,27 +29,25 @@ jobs: with: ref: docs-${{ github.event.pull_request.base.ref }} - # Configures global Git variables for committing - - name: Configure Git + # Configure environment + - name: Prepare Git, GitHub CLI and installed CE tools run: | /usr/bin/git config --global user.email "sysadm@codeenigma.com" /usr/bin/git config --global user.name "Code Enigma CI" /usr/bin/git config --global pull.rebase false /usr/bin/git config --global --add safe.directory /__w/ce-provision/ce-provision + (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) && sudo mkdir -p -m 755 /etc/apt/keyrings && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null && sudo apt update && sudo apt install gh -y + /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-provision && /usr/bin/git pull origin 2.x" + /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-deploy && /usr/bin/git pull origin 1.x" # First build and publish the markdown docs - - name: Build the table of contents - run: /bin/sh contribute/toc.sh - - - name: Commit new table of contents back to the repo + - name: Build and commit table of contents and README files back to the repo run: | - /usr/bin/git add docs/. - /usr/bin/git commit -m "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" + /bin/sh contribute/toc.sh + /usr/bin/find . -name "*.md" | xargs git add + /usr/bin/git diff --quiet && git diff --staged --quiet || git commit -am "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" /usr/bin/git push - - name: Install GitHub CLI - run: (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) && sudo mkdir -p -m 755 /etc/apt/keyrings && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null && sudo apt update && sudo apt install gh -y - # Create docs pull request - name: Create a documentation pull request if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} @@ -61,27 +59,17 @@ jobs: - name: Install wiki2pages run: /usr/bin/su - ce-dev -c "/usr/bin/git clone https://github.com/codeenigma/wikis2pages.git /home/ce-dev/build/wiki2pages" - - name: Update local applications - run: | - /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-provision && /usr/bin/git pull origin 2.x" - /usr/bin/su - ce-dev -c "cd /home/ce-dev/ce-deploy && /usr/bin/git pull origin 1.x" - - - name: Set up Ansible hosts file + - name: Set up Ansible and SSH run: | mkdir -p /home/ce-dev/ansible/bin/hosts echo "wikis2pages-hugo ansible_host=127.0.0.1" > /home/ce-dev/ansible/bin/hosts/hosts - - - name: Set up SSH config - run: | echo "StrictHostKeyChecking=no" > /home/ce-dev/.ssh/config cat /home/ce-dev/.ssh/id_rsa.pub > /home/ce-dev/.ssh/authorized_keys chown ce-dev:ce-dev /home/ce-dev/.ssh/config chmod 700 /home/ce-dev/.ssh/config chown ce-dev:ce-dev /home/ce-dev/.ssh/authorized_keys chmod 700 /home/ce-dev/.ssh/authorized_keys - - - name: Start SSHD - run: /usr/sbin/sshd& + /usr/sbin/sshd& - name: Initialise wiki2pages for ce-provision ${{ github.event.pull_request.base.ref }} run: | From e3e122be6b52338e389365f90d10ac9fb90a65d2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 12:48:41 +0100 Subject: [PATCH 304/331] GitHub Actions - updating markdown docs - (#2187) Co-authored-by: Code Enigma CI --- docs/_Sidebar.md | 196 +++++++++++++++++++++++------------------------ 1 file changed, 98 insertions(+), 98 deletions(-) diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index db7194657..540826797 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -3,101 +3,101 @@ - [Install](install) - [Usage](scripts) - [Roles](roles) - - [AWS Infrastructure](roles/aws) - - [AWS ACL](roles/aws/aws_acl) - - [AWS Certificate Manager](roles/aws/aws_acm) - - [AWS AMI ASG Cleanup](roles/aws/aws_ami_asg_cleanup) - - [AWS AMI](roles/aws/aws_ami) - - [AWS Backup](roles/aws/aws_backup) - - [AWS Backup Validation](roles/aws/aws_backup_validation) - - [AWS CloudFront distribution](roles/aws/aws_cloudfront_distribution) - - [Cloudwatch log group](roles/aws/aws_cloudwatch_log_group) - - [Amazon credentials](roles/aws/aws_credentials) - - [Autoscale cluster](roles/aws/aws_ec2_autoscale_cluster) - - [EC2 CloudWatch Metric Alarm](roles/aws/aws_ec2_metric_alarm) - - [EC2 instance with EIP](roles/aws/aws_ec2_with_eip) - - [AWS EFS](roles/aws/aws_efs) - - [AWS ElastiCache](roles/aws/aws_elasticache) - - [AWS IAM EC2](roles/aws/aws_iam_role) - - [AWS IAM SAML](roles/aws/aws_iam_saml) - - [AWS Network Info](roles/aws/_aws_network_info) - - [AWS OpenSearch](roles/aws/aws_opensearch) - - [AWS key pair.](roles/aws/aws_provision_ec2_keypair) - - [AWS RDS](roles/aws/aws_rds) - - [AWS Resource Group.](roles/aws/aws_resource_group) - - [AWS S3 Bucket](roles/aws/aws_s3_bucket) - - [AWS Security Groups](roles/aws/aws_security_groups) - - [AWS SG/firewall role](roles/aws/aws_sg_iptables) - - [AWS SNS](roles/aws/aws_sns) - - [VPC](roles/aws/aws_vpc) - - [Update main route for a given VPC](roles/aws/aws_vpc_route) - - [VPC](roles/aws/aws_vpc_subnet) - - [Contributed roles](roles/contrib) - - [Debian Packages](roles/debian) - - [Ansible Galaxy](roles/debian/ansible_galaxy) - - [Ansible](roles/debian/ansible) - - [APACHE](roles/debian/apache) - - [Apparmor](roles/debian/apparmor) - - [Extra packages](roles/debian/apt_extra_packages) - - [APT Repository](roles/debian/apt_repository) - - [APT Unattended Upgrades](roles/debian/apt_unattended_upgrades) - - [AWS CLI](roles/debian/aws_cli) - - [AWS Cloudwatch agent](roles/debian/aws_cloudwatch_agent) - - [EFS client](roles/debian/aws_efs_client) - - [AWS SSM agent](roles/debian/aws_ssm_agent) - - [ce-deploy](roles/debian/ce_deploy) - - [Extra packages](roles/debian/ce_dev) - - [Automated patching](roles/debian/ce_patcher) - - [ce-provision](roles/debian/ce_provision) - - [ClamAV](roles/debian/clamav) - - [Docker CE](roles/debian/docker_ce) - - [Docker Registry](roles/debian/docker_registry) - - [Duplicity](roles/debian/duplicity) - - [Firewall Config](roles/debian/firewall_config) - - [Frontail](roles/debian/frontail) - - [Gitlab](roles/debian/gitlab) - - [Gitlab Runner](roles/debian/gitlab_runner) - - [GPG Key](roles/debian/gpg_key) - - [HA Proxy](roles/debian/haproxy) - - [Managed /etc/hosts](roles/debian/hosts) - - [Jenkins](roles/debian/jenkins) - - [Jitsi](roles/debian/jitsi) - - [LDAP Server](roles/debian/ldap_server) - - [LHCI](roles/debian/lhci) - - [Mailpit](roles/debian/mailpit) - - [Mount sync](roles/debian/mount_sync) - - [MariaDB Client](roles/debian/mysql_client) - - [MySQL Server - Oracle Community Edition](roles/debian/mysql_server_oracle_ce) - - [NGINX](roles/debian/nginx) - - [NodeJS](roles/debian/nodejs) - - [OpenVPN](roles/debian/openvpn) - - [Packer](roles/debian/packer) - - [PAM LinOTP](roles/debian/pam_linotp) - - [PHP terminal client](roles/debian/php-cli) - - [PHP common components](roles/debian/php-common) - - [PHP Composer](roles/debian/php_composer) - - [PHP-FPM](roles/debian/php-fpm) - - [phpMyAdmin](roles/debian/phpmyadmin) - - [PHP XDebug](roles/debian/php_xdebug) - - [Postfix](roles/debian/postfix) - - [Process Manager](roles/debian/process_manager) - - [Python Boto](roles/debian/python_boto) - - [Python Common](roles/debian/python_common) - - [Python Pip Packages](roles/debian/python_pip_packages) - - [rkhunter](roles/debian/rkhunter) - - [Rsyslog](roles/debian/rsyslog) - - [solr](roles/debian/solr) - - [SSHD](roles/debian/ssh_server) - - [SSL](roles/debian/ssl) - - [sudo config](roles/debian/sudo_config) - - [Swap](roles/debian/swap) - - [System](roles/debian/system) - - [User Ansible](roles/debian/user_ansible) - - [varnish_config](roles/debian/varnish_config) - - [wazuh](roles/debian/wazuh) - - [Init role](roles/_init) - - ["Meta" roles that group individual roles together.](roles/_meta) - - [AWS account](roles/_meta/aws_account) - - [AWS client](roles/_meta/aws_client_instance) - - [AWS region](roles/_meta/aws_region) - - [\_overrides.](roles/_overrides) + - [Init role](/roles/_init) + - ["Meta" roles that group individual roles together.](/roles/_meta) + - [AWS account](/roles/_meta/aws_account) + - [AWS client](/roles/_meta/aws_client_instance) + - [AWS region](/roles/_meta/aws_region) + - [\_overrides.](/roles/_overrides) + - [AWS Infrastructure](/roles/aws) + - [AWS Network Info](/roles/aws/_aws_network_info) + - [AWS ACL](/roles/aws/aws_acl) + - [AWS Certificate Manager](/roles/aws/aws_acm) + - [AWS AMI](/roles/aws/aws_ami) + - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup) + - [AWS Backup](/roles/aws/aws_backup) + - [AWS Backup Validation](/roles/aws/aws_backup_validation) + - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) + - [Cloudwatch log group](/roles/aws/aws_cloudwatch_log_group) + - [Amazon credentials](/roles/aws/aws_credentials) + - [Autoscale cluster](/roles/aws/aws_ec2_autoscale_cluster) + - [EC2 CloudWatch Metric Alarm](/roles/aws/aws_ec2_metric_alarm) + - [EC2 instance with EIP](/roles/aws/aws_ec2_with_eip) + - [AWS EFS](/roles/aws/aws_efs) + - [AWS ElastiCache](/roles/aws/aws_elasticache) + - [AWS IAM EC2](/roles/aws/aws_iam_role) + - [AWS IAM SAML](/roles/aws/aws_iam_saml) + - [AWS OpenSearch](/roles/aws/aws_opensearch) + - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) + - [AWS RDS](/roles/aws/aws_rds) + - [AWS Resource Group.](/roles/aws/aws_resource_group) + - [AWS S3 Bucket](/roles/aws/aws_s3_bucket) + - [AWS Security Groups](/roles/aws/aws_security_groups) + - [AWS SG/firewall role](/roles/aws/aws_sg_iptables) + - [AWS SNS](/roles/aws/aws_sns) + - [VPC](/roles/aws/aws_vpc) + - [Update main route for a given VPC](/roles/aws/aws_vpc_route) + - [VPC](/roles/aws/aws_vpc_subnet) + - [Contributed roles](/roles/contrib) + - [Debian Packages](/roles/debian) + - [Ansible](/roles/debian/ansible) + - [Ansible Galaxy](/roles/debian/ansible_galaxy) + - [APACHE](/roles/debian/apache) + - [Apparmor](/roles/debian/apparmor) + - [Extra packages](/roles/debian/apt_extra_packages) + - [APT Repository](/roles/debian/apt_repository) + - [APT Unattended Upgrades](/roles/debian/apt_unattended_upgrades) + - [AWS CLI](/roles/debian/aws_cli) + - [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent) + - [EFS client](/roles/debian/aws_efs_client) + - [AWS SSM agent](/roles/debian/aws_ssm_agent) + - [ce-deploy](/roles/debian/ce_deploy) + - [Extra packages](/roles/debian/ce_dev) + - [Automated patching](/roles/debian/ce_patcher) + - [ce-provision](/roles/debian/ce_provision) + - [ClamAV](/roles/debian/clamav) + - [Docker CE](/roles/debian/docker_ce) + - [Docker Registry](/roles/debian/docker_registry) + - [Duplicity](/roles/debian/duplicity) + - [Firewall Config](/roles/debian/firewall_config) + - [Frontail](/roles/debian/frontail) + - [Gitlab](/roles/debian/gitlab) + - [Gitlab Runner](/roles/debian/gitlab_runner) + - [GPG Key](/roles/debian/gpg_key) + - [HA Proxy](/roles/debian/haproxy) + - [Managed /etc/hosts](/roles/debian/hosts) + - [Jenkins](/roles/debian/jenkins) + - [Jitsi](/roles/debian/jitsi) + - [LDAP Server](/roles/debian/ldap_server) + - [LHCI](/roles/debian/lhci) + - [Mailpit](/roles/debian/mailpit) + - [Mount sync](/roles/debian/mount_sync) + - [MariaDB Client](/roles/debian/mysql_client) + - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce) + - [NGINX](/roles/debian/nginx) + - [NodeJS](/roles/debian/nodejs) + - [OpenVPN](/roles/debian/openvpn) + - [Packer](/roles/debian/packer) + - [PAM LinOTP](/roles/debian/pam_linotp) + - [PHP terminal client](/roles/debian/php-cli) + - [PHP common components](/roles/debian/php-common) + - [PHP-FPM](/roles/debian/php-fpm) + - [PHP Composer](/roles/debian/php_composer) + - [PHP XDebug](/roles/debian/php_xdebug) + - [phpMyAdmin](/roles/debian/phpmyadmin) + - [Postfix](/roles/debian/postfix) + - [Process Manager](/roles/debian/process_manager) + - [Python Boto](/roles/debian/python_boto) + - [Python Common](/roles/debian/python_common) + - [Python Pip Packages](/roles/debian/python_pip_packages) + - [rkhunter](/roles/debian/rkhunter) + - [Rsyslog](/roles/debian/rsyslog) + - [solr](/roles/debian/solr) + - [SSHD](/roles/debian/ssh_server) + - [SSL](/roles/debian/ssl) + - [sudo config](/roles/debian/sudo_config) + - [Swap](/roles/debian/swap) + - [System](/roles/debian/system) + - [User Ansible](/roles/debian/user_ansible) + - [varnish_config](/roles/debian/varnish_config) + - [wazuh](/roles/debian/wazuh) From efb357c379d9f42be7d630d93718b5bcc3aaf4b6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 13:05:16 +0100 Subject: [PATCH 305/331] Publish docs pr 2.x (#2189) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index b95472b1d..2745fc41b 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -13,6 +13,8 @@ jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided public-docs: + # Only run the job if it is not coming from a documentation branch + if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} # Name the Job name: Publish the ce-provision docs to GitHub # Set the type of machine to run on @@ -50,7 +52,6 @@ jobs: # Create docs pull request - name: Create a documentation pull request - if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} run: gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "Documentation update" --body "**Automated pull request** created by GitHub Actions because of a documentation update." env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -82,7 +83,6 @@ jobs: - name: Run Hugo run: | /usr/bin/su - ce-dev -c "cd /home/ce-dev/build/wiki2pages && hugo" - ls -la /home/ce-dev/build/wiki2pages/public/ce-provision-${{ github.event.pull_request.base.ref }}/ - name: Publish documentation run: | From 66c6ed9bb18bbe7f5f3cf69ede1b8687e5b5cf49 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 13:32:00 +0100 Subject: [PATCH 306/331] Publish docs pr 2.x (#2193) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-build-docs.yml | 52 ------------------- .../workflows/ce-provision-publish-docs.yml | 6 ++- 2 files changed, 4 insertions(+), 54 deletions(-) delete mode 100644 .github/workflows/ce-provision-build-docs.yml diff --git a/.github/workflows/ce-provision-build-docs.yml b/.github/workflows/ce-provision-build-docs.yml deleted file mode 100644 index fc7286a73..000000000 --- a/.github/workflows/ce-provision-build-docs.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Build docs - -# Run this workflow every time a new commit pushed to your repository -on: pull_request - -jobs: - # Set the job key. The key is displayed as the job name - # when a job name is not provided - build-docs: - # Name the Job - name: Build the documentation - # Set the type of machine to run on - runs-on: ubuntu-20.04 - - steps: - # Checks out a copy of your repository on the ubuntu-latest machine - - name: Checkout code - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - # Configures global Git variables for committing - - name: Configure Git - run: | - git config --global user.email "sysadm@codeenigma.com" - git config --global user.name "Code Enigma CI" - git config --global pull.rebase false - - # Builds the docs - - name: Build documentation - if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }} - run: | - git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} - git fetch - /bin/sh ./contribute/toc.sh - find . -name "*.md" | xargs git add - git diff --quiet && git diff --staged --quiet || git commit -am 'GitHub Actions - Rebuilt documentation.' - git pull origin documentation - git push origin HEAD:documentation - shell: bash - - # Create docs pull request - - name: Create a documentation pull request - if: ${{ github.event.pull_request.head.ref != 'documentation' && github.event.pull_request.base.ref == '1.x' }} - uses: repo-sync/pull-request@v2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - source_branch: documentation - destination_branch: ${{ github.event.pull_request.base.ref }} - pr_title: Documentation update. - pr_body: "**Automated pull request** created by GitHub Actions because of a documentation update." diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 2745fc41b..dceaf2687 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -51,8 +51,10 @@ jobs: /usr/bin/git push # Create docs pull request - - name: Create a documentation pull request - run: gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "Documentation update" --body "**Automated pull request** created by GitHub Actions because of a documentation update." + - name: Create documentation pull requests + run: | + gh pr create --base ${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "Documentation update - ${{ github.event.pull_request.base.ref }}" --body "**Automated pull request** created by GitHub Actions because of a documentation update." || echo "No commits between ${{ github.event.pull_request.base.ref }} and docs-${{ github.event.pull_request.base.ref }} - no PR created!" + gh pr create --base devel-${{ github.event.pull_request.base.ref }} --head docs-${{ github.event.pull_request.base.ref }} --title "Documentation update - devel-${{ github.event.pull_request.base.ref }}" --body "**Automated pull request** created by GitHub Actions because of a documentation update." || echo "No commits between devel-${{ github.event.pull_request.base.ref }} and docs-${{ github.event.pull_request.base.ref }} - no PR created!" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 67ea50f8a0e8b961673b4243ebdbfa646fd71248 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Wed, 8 Jan 2025 12:52:52 +0000 Subject: [PATCH 307/331] r71115-default-ldap-ca-cert (#2197) --- roles/debian/pam_ldap/templates/ldap.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2 index b613deaea..a4f1ddca7 100644 --- a/roles/debian/pam_ldap/templates/ldap.conf.j2 +++ b/roles/debian/pam_ldap/templates/ldap.conf.j2 @@ -1,7 +1,7 @@ BASE {{ pam_ldap.lookup_base }} URI {{ pam_ldap.endpoints | join(' ') }} {% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %} -TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }} +TLS_CACERT /etc/ssl/certs/ca-certificates.crt {% endif %} BIND_TIMELIMIT 5 TIMEOUT 5 @@ -11,4 +11,4 @@ pam_lookup_policy yes {% if pam_ldap.ssl_certificate_check is defined and not pam_ldap.ssl_certificate_check %} TLS_REQCERT never -{% endif %} \ No newline at end of file +{% endif %} From 9893d681715c06cdf41a78efbcdd38be0196ae07 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 13:57:17 +0100 Subject: [PATCH 308/331] Documentation update - 2.x (#2198) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip From 8a4d8c558831d70a718c78c8eef8ce58bc1c58be Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 14:39:25 +0100 Subject: [PATCH 309/331] Publish docs pr 2.x (#2203) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. * Very convoluted way to have a dynamic head branch in an 'if' expression. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index dceaf2687..be0c8479b 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -8,13 +8,27 @@ on: - 1.x - 2.x workflow_dispatch: +# Set target docs branch name +env: + docs_branch: docs-${{ github.event.pull_request.base.ref }} jobs: - # Set the job key. The key is displayed as the job name - # when a job name is not provided - public-docs: + # See https://stackoverflow.com/a/74378072 + set-docs-branch: + name: Make docs branch name available to publish-docs job + runs-on: ubuntu-latest + outputs: + docs_branch: ${{ steps.init.outputs.docs_branch }} + + steps: + - name: Make environment variables global + id: init + run: | + echo "docs_branch=${{ env.docs_branch }}" >> $GITHUB_OUTPUT + + publish-docs: # Only run the job if it is not coming from a documentation branch - if: ${{ github.event.pull_request.head.ref != 'docs-${{ github.event.pull_request.base.ref }}' }} + if: ${{ github.event.pull_request.head.ref != needs.set-docs-branch.outputs.docs_branch }} # Name the Job name: Publish the ce-provision docs to GitHub # Set the type of machine to run on From 4fada37a692418bc42cb85762ec67e93c71ef4a6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 8 Jan 2025 14:45:01 +0100 Subject: [PATCH 310/331] Publish docs pr 2.x (#2205) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. * Very convoluted way to have a dynamic head branch in an 'if' expression. * Need a 'needs' line to make sure context is set first. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index be0c8479b..6bd457aa8 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -27,11 +27,10 @@ jobs: echo "docs_branch=${{ env.docs_branch }}" >> $GITHUB_OUTPUT publish-docs: + name: Publish the ce-provision docs to GitHub # Only run the job if it is not coming from a documentation branch + needs: set-docs-branch if: ${{ github.event.pull_request.head.ref != needs.set-docs-branch.outputs.docs_branch }} - # Name the Job - name: Publish the ce-provision docs to GitHub - # Set the type of machine to run on runs-on: ubuntu-latest # Use our ce-dev Debian base container From 8ddb25428dc2773f715a8cd3feb9edc7387789cb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 14:47:54 +0100 Subject: [PATCH 311/331] Documentation update - 2.x (#2200) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip From 72137a4e0c2bdb28b27371c410ae3913a280a9b0 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 9 Jan 2025 16:48:57 +0100 Subject: [PATCH 312/331] Enhanced quick start pr 2.x (#2207) * Added more generic firewall rules that might be useful. * Added an update step to the installer. * Providing some default playbooks people can use in ce-provision. * Slight docs tweak for showtime! --- install.sh | 4 +- plays/aws_account/README.md | 3 + plays/aws_account/aws_account.yml | 16 ++++++ plays/aws_asg/README.md | 14 +++++ plays/aws_asg/ami.yml | 35 ++++++++++++ plays/aws_asg/asg.yml | 25 +++++++++ plays/aws_asg/cluster.yml | 5 ++ plays/aws_ec2_standalone/README.md | 8 +++ plays/aws_ec2_standalone/ami.yml | 20 +++++++ plays/aws_ec2_standalone/ec2.yml | 24 ++++++++ plays/aws_ec2_standalone/launch.yml | 38 +++++++++++++ plays/aws_ec2_standalone/mysql_client.yml | 32 +++++++++++ plays/aws_ec2_standalone/provision.yml | 29 ++++++++++ plays/aws_ec2_standalone/rds.yml | 56 +++++++++++++++++++ plays/aws_ec2_standalone/server.yml | 11 ++++ plays/aws_region/README.md | 3 + plays/aws_region/aws_region.yml | 17 ++++++ plays/controller/README.md | 31 ++++++++++ plays/controller/aws_controller.yml | 7 +++ plays/controller/provision.yml | 22 ++++++++ plays/deploy/README.md | 31 ++++++++++ plays/deploy/aws_deploy.yml | 7 +++ plays/deploy/provision.yml | 22 ++++++++ roles/_init/defaults/main.yml | 6 ++ .../debian/firewall_config/defaults/main.yml | 24 ++++++++ 25 files changed, 489 insertions(+), 1 deletion(-) create mode 100644 plays/aws_account/README.md create mode 100644 plays/aws_account/aws_account.yml create mode 100644 plays/aws_asg/README.md create mode 100644 plays/aws_asg/ami.yml create mode 100644 plays/aws_asg/asg.yml create mode 100644 plays/aws_asg/cluster.yml create mode 100644 plays/aws_ec2_standalone/README.md create mode 100644 plays/aws_ec2_standalone/ami.yml create mode 100644 plays/aws_ec2_standalone/ec2.yml create mode 100644 plays/aws_ec2_standalone/launch.yml create mode 100644 plays/aws_ec2_standalone/mysql_client.yml create mode 100644 plays/aws_ec2_standalone/provision.yml create mode 100644 plays/aws_ec2_standalone/rds.yml create mode 100644 plays/aws_ec2_standalone/server.yml create mode 100644 plays/aws_region/README.md create mode 100644 plays/aws_region/aws_region.yml create mode 100644 plays/controller/README.md create mode 100644 plays/controller/aws_controller.yml create mode 100644 plays/controller/provision.yml create mode 100644 plays/deploy/README.md create mode 100644 plays/deploy/aws_deploy.yml create mode 100644 plays/deploy/provision.yml diff --git a/install.sh b/install.sh index 0776988a7..94fc15548 100755 --- a/install.sh +++ b/install.sh @@ -161,7 +161,9 @@ if [ ! -d "/home/$CONTROLLER_USER/ce-provision" ]; then /usr/bin/su - "$CONTROLLER_USER" -c "git clone --branch $CONFIG_REPO_BRANCH $CONFIG_REPO /home/$CONTROLLER_USER/ce-provision/config" /usr/bin/su - "$CONTROLLER_USER" -c "/usr/bin/ln -s /home/$CONTROLLER_USER/ce-provision/config/ansible.cfg /home/$CONTROLLER_USER/ce-provision/ansible.cfg" else - /usr/bin/echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." + /usr/bin/echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Updating." + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && git pull origin $VERSION" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision/config && git pull origin $CONFIG_REPO_BRANCH" /usr/bin/echo "-------------------------------------------------" fi /usr/bin/mkdir -p "/home/$CONTROLLER_USER/ce-provision/galaxy/roles" diff --git a/plays/aws_account/README.md b/plays/aws_account/README.md new file mode 100644 index 000000000..b47a9d428 --- /dev/null +++ b/plays/aws_account/README.md @@ -0,0 +1,3 @@ +# Base playbook for configuring an AWS account. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/aws_account/aws_account.yml b/plays/aws_account/aws_account.yml new file mode 100644 index 000000000..f6184b34c --- /dev/null +++ b/plays/aws_account/aws_account.yml @@ -0,0 +1,16 @@ +--- +# Global infra setup. +- hosts: localhost + connection: local + become: false + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + # used for tagging + _profile: core + _env_type: core + roles: + - _init + - _meta/aws_account + - _exit diff --git a/plays/aws_asg/README.md b/plays/aws_asg/README.md new file mode 100644 index 000000000..9ee9b5757 --- /dev/null +++ b/plays/aws_asg/README.md @@ -0,0 +1,14 @@ +# Base playbooks for creating a new AWS ASG. +For a standard ASG build just add `cluster.yml` to your environment play, like this: + +```yaml +- import_playbook: "{{ _ce_provision_base_dir }}/plays/aws_asg/cluster.yml" + vars: + _aws_region: eu-west-1 + _env_type: dev + _aws_resource_name: cluster-acme-com +``` + +If you have specific requirements for your AMIs you can copy these plays to your infra repository and alter them accordingly. Don't forget to copy/include `launch.yml` from the `_ec2_standalone` plays or orchestration of brand new clusters will fail. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/aws_asg/ami.yml b/plays/aws_asg/ami.yml new file mode 100644 index 000000000..5a82deac5 --- /dev/null +++ b/plays/aws_asg/ami.yml @@ -0,0 +1,35 @@ +--- +# This is the provisioning for the AMI and will run inside a temporary instance using Packer. +- hosts: default + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + _profile: asg + + tasks: + - name: Upgrade the system and update cache + ansible.builtin.apt: + upgrade: dist + update_cache: true + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _meta/aws_client_instance + - ansible.builtin.import_role: + name: _meta/webserver + - ansible.builtin.import_role: + name: debian/aws_efs_client + - ansible.builtin.import_role: + name: debian/squashfs + - ansible.builtin.import_role: + name: debian/mount_sync + - ansible.builtin.import_role: + name: debian/swap + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_asg/asg.yml b/plays/aws_asg/asg.yml new file mode 100644 index 000000000..9a1367869 --- /dev/null +++ b/plays/aws_asg/asg.yml @@ -0,0 +1,25 @@ +--- +# Common ASG infra. +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + connection: local + become: false + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + _profile: asg + + tasks: + - ansible.builtin.import_role: + name: _init + run_once: true + - ansible.builtin.import_role: + name: aws/aws_ec2_autoscale_cluster + run_once: true + - ansible.builtin.import_role: + name: _exit + run_once: true diff --git a/plays/aws_asg/cluster.yml b/plays/aws_asg/cluster.yml new file mode 100644 index 000000000..9a2f93f03 --- /dev/null +++ b/plays/aws_asg/cluster.yml @@ -0,0 +1,5 @@ +--- +# Creates hosts entry so play isn't skipped. +- ansible.builtin.import_playbook: ../aws_ec2_standalone/launch.yml +# Spins up the cluster. +- ansible.builtin.import_playbook: asg.yml diff --git a/plays/aws_ec2_standalone/README.md b/plays/aws_ec2_standalone/README.md new file mode 100644 index 000000000..7c7872193 --- /dev/null +++ b/plays/aws_ec2_standalone/README.md @@ -0,0 +1,8 @@ +# Base playbook for setting up a standalone EC2 instance. +IMPORTANT: these plays deliberately exclude the `_init._profile` variable because it usually needs to be set at runtime or in a separate infrastructure config repo. + +The `server.yml` file is the 'main' play, to customise we suggest this is copied to an infra repo and renamed as `hostname.yml` e.g. `acme-dev1.yml`. You also need to copy `provision.yml` so you can control what is provisioned. The `provision.yml` file is intended only as a model. + +If you want a separate RDS instance to pair with your EC2 instance then uncomment the last two play import lines in `server.yml`, however note you do need to sort out outbound firewall ports in iptables and a Security Group for inbound traffic to the RDS instance - usually port `3306` outbound from the EC2 instance in `firewall_config` and an SG that allows `3306` inbound to RDS. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/aws_ec2_standalone/ami.yml b/plays/aws_ec2_standalone/ami.yml new file mode 100644 index 000000000..e2fa4297d --- /dev/null +++ b/plays/aws_ec2_standalone/ami.yml @@ -0,0 +1,20 @@ +--- +# This is the bare provisioning for the AMI. +- hosts: default + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: debian/user_provision + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_ec2_standalone/ec2.yml b/plays/aws_ec2_standalone/ec2.yml new file mode 100644 index 000000000..84b2bcfbc --- /dev/null +++ b/plays/aws_ec2_standalone/ec2.yml @@ -0,0 +1,24 @@ +--- +# First step. Spin up a "blank" instance from a fresh AMI. +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + connection: local + become: false + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: aws/aws_ami + - ansible.builtin.import_role: + name: aws/aws_ec2_with_eip + - ansible.builtin.import_role: + name: _exit + - ansible.builtin.meta: refresh_inventory diff --git a/plays/aws_ec2_standalone/launch.yml b/plays/aws_ec2_standalone/launch.yml new file mode 100644 index 000000000..2d9f13ac6 --- /dev/null +++ b/plays/aws_ec2_standalone/launch.yml @@ -0,0 +1,38 @@ +--- +# Prepare the ground for a new EC2 machine +- hosts: localhost + connection: local + become: false + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + # copied from aws_ami.yml in group_vars/all because we do not want to load aws_ami vars yet + ami_groups: + - "all" + - "_{{ _aws_resource_name | regex_replace('-', '_') }}" + - "_{{ _infra_name | regex_replace('-', '_') }}" + - "_{{ _env_type | regex_replace('-', '_') }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - name: Blank the _aws_hostname variable. + ansible.builtin.set_fact: + _aws_hostname: "" + - name: Check to see if an Ansible host exists. + ansible.builtin.set_fact: + _aws_hostname: "{{ item }}" + with_inventory_hostnames: + - "_{{ _aws_resource_name | regex_replace('-', '_') }}" + - name: If an Ansible host is not found, create it so we can execute EC2 orchestration. + ansible.builtin.add_host: + name: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + groups: "{{ ami_groups }}" + when: _aws_hostname | length == 0 + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_ec2_standalone/mysql_client.yml b/plays/aws_ec2_standalone/mysql_client.yml new file mode 100644 index 000000000..b39135fbc --- /dev/null +++ b/plays/aws_ec2_standalone/mysql_client.yml @@ -0,0 +1,32 @@ +--- +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: debian/user_deploy + # Look up RDS hostname + - name: Get information about an instance + community.aws.rds_instance_info: + region: "{{ _aws_region }}" + profile: "{{ _aws_profile }}" + db_instance_identifier: "{{ _aws_resource_name }}" + become: true + become_user: "{{ user_provision.username }}" + delegate_to: localhost # needs to run on controller + register: _database_info + # Install MySQL client + - ansible.builtin.import_role: + name: debian/mysql_client + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_ec2_standalone/provision.yml b/plays/aws_ec2_standalone/provision.yml new file mode 100644 index 000000000..bbe70e8dd --- /dev/null +++ b/plays/aws_ec2_standalone/provision.yml @@ -0,0 +1,29 @@ +--- +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: ce_ldap_safelist + - ansible.builtin.import_role: + name: _meta/common_base + - ansible.builtin.import_role: + name: _meta/aws_client_instance + - ansible.builtin.import_role: + name: debian/ssh_server + - ansible.builtin.import_role: + name: debian/firewall_config + - ansible.builtin.import_role: + name: debian/swap + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_ec2_standalone/rds.yml b/plays/aws_ec2_standalone/rds.yml new file mode 100644 index 000000000..5815bb2dd --- /dev/null +++ b/plays/aws_ec2_standalone/rds.yml @@ -0,0 +1,56 @@ +--- +# Create an RDS instance. +- hosts: "_{{ _aws_resource_name | regex_replace('-', '_') }}" + connection: local + become: false + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + + # Automate subnet fetching + - name: Create empty var to hold subnet IDs. + ansible.builtin.set_fact: + _aws_rds_vpc_subnet_ids: [] + + - name: Gather VPC information. + amazon.aws.ec2_vpc_net_info: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + filters: + "tag:Name": "{{ _infra_name }}" + register: _aws_rds_vpc + + - name: Set the VPC id from name. + ansible.builtin.set_fact: + _aws_rds_vpc_id: "{{ _aws_rds_vpc.vpcs[0].vpc_id }}" + + - name: Gather public subnet information. + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + filters: + vpc-id: "{{ _aws_rds_vpc_id }}" + tag:Env: "{{ _env_type }}" + tag:Profile: "core" + register: _aws_rds_vpc_subnets + + - name: Place subnet IDs in a list. + ansible.builtin.set_fact: + _aws_rds_vpc_subnet_ids: "{{ _aws_rds_vpc_subnet_ids + [item.subnet_id] }}" + loop: "{{ _aws_rds_vpc_subnets.subnets }}" + + # Build the RDS instance. + - ansible.builtin.import_role: + name: aws/aws_rds + + - ansible.builtin.import_role: + name: _exit diff --git a/plays/aws_ec2_standalone/server.yml b/plays/aws_ec2_standalone/server.yml new file mode 100644 index 000000000..282a73f16 --- /dev/null +++ b/plays/aws_ec2_standalone/server.yml @@ -0,0 +1,11 @@ +# Prepares a host entry so the ec2.yml play succeeds. +- ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/aws_ec2_standalone/launch.yml" +# Spins up the instance. +# We use the central _deploy role to provision the EC2 instance to avoid duplication. +- ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/aws_ec2_standalone/ec2.yml" +# Actual provisioning +- ansible.builtin.import_playbook: provision.yml +# RDS instance +#- ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/aws_ec2_standalone/rds.yml" +# MySQL client - needs to happen after RDS instance is created +#- ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/aws_ec2_standalone/mysql_client.yml" diff --git a/plays/aws_region/README.md b/plays/aws_region/README.md new file mode 100644 index 000000000..8073b43fc --- /dev/null +++ b/plays/aws_region/README.md @@ -0,0 +1,3 @@ +# Base playbook for configuring an AWS region. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/aws_region/aws_region.yml b/plays/aws_region/aws_region.yml new file mode 100644 index 000000000..38974eeda --- /dev/null +++ b/plays/aws_region/aws_region.yml @@ -0,0 +1,17 @@ +--- +# Global infra setup. +- hosts: localhost + connection: local + become: false + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + # used for tagging + _profile: core + roles: + - _init + - _meta/aws_region + - _exit diff --git a/plays/controller/README.md b/plays/controller/README.md new file mode 100644 index 000000000..f27e06a85 --- /dev/null +++ b/plays/controller/README.md @@ -0,0 +1,31 @@ +# Base playbook for setting up an infra controller. +This playbook provides a model for managing an Ansible infra controller with ce-provision based at AWS. + +If your server is not in AWS or you are not using the AWS EC2 inventory plugin, you must ensure your server's hostname is in your Ansible hosts file (`config/hosts/hosts` or `hosts.yml`) and provide the same hostname in the `_provision_host` variable. Then call `provision.yml` directly, for example: + +```yaml +--- +- name: Configure my controller server. + ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/controller/provision.yml" + vars: + _env_type: util + _provision_host: controller.acme.com + _profile: controller +``` + +If you are using the AWS EC2 inventory plugin and the Code Enigme recommended set-up, you must provide the `_aws_resource_name` variable - note, this is hyphenated, no dots - and call `aws_controller.yml`, for example: + +```yaml +--- +- name: Configure my controller server at AWS. + ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/controller/aws_controller.yml" + vars: + _env_type: util + _aws_region: eu-west-1 + _aws_resource_name: controller-acme-com + _profile: controller +``` + +This will create or find an EC2 instance with the AWS tag of `Name: controller-acme-com` which will be in an inventory group called `_controller_acme_com`. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/controller/aws_controller.yml b/plays/controller/aws_controller.yml new file mode 100644 index 000000000..2c3380008 --- /dev/null +++ b/plays/controller/aws_controller.yml @@ -0,0 +1,7 @@ +--- +# Creates hosts entry so play isn't skipped. +- ansible.builtin.import_playbook: ../aws_ec2_standalone/launch.yml +# Spins up the instance. +- ansible.builtin.import_playbook: ../aws_ec2_standalone/ec2.yml +# Actual provisioning +- ansible.builtin.import_playbook: provision.yml diff --git a/plays/controller/provision.yml b/plays/controller/provision.yml new file mode 100644 index 000000000..7ef6c54ea --- /dev/null +++ b/plays/controller/provision.yml @@ -0,0 +1,22 @@ +--- +- hosts: "{{ _provision_host | default('_' + _aws_resource_name | regex_replace('-', '_')) }}" + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + _profile: controller + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _meta/aws_client_instance + - ansible.builtin.import_role: + name: _meta/controller + - ansible.builtin.import_role: + name: _exit diff --git a/plays/deploy/README.md b/plays/deploy/README.md new file mode 100644 index 000000000..498355b3e --- /dev/null +++ b/plays/deploy/README.md @@ -0,0 +1,31 @@ +# Base playbook for setting up a deploy server. +This playbook provides a model for managing an Ansible application deployment server with ce-deploy based at AWS. + +If your server is not in AWS or you are not using the AWS EC2 inventory plugin, you must ensure your server's hostname is in your Ansible hosts file (`config/hosts/hosts` or `hosts.yml`) and provide the same hostname in the `_provision_host` variable. Then call `provision.yml` directly, for example: + +```yaml +--- +- name: Configure my deploy server. + ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/deploy/provision.yml" + vars: + _env_type: util + _provision_host: deploy.acme.com + _profile: deploy +``` + +If you are using the AWS EC2 inventory plugin and the Code Enigme recommended set-up, you must provide the `_aws_resource_name` variable - note, this is hyphenated, no dots - and call `aws_deploy.yml`, for example: + +```yaml +--- +- name: Configure my deploy server at AWS. + ansible.builtin.import_playbook: "{{ _ce_provision_base_dir }}/plays/deploy/aws_deploy.yml" + vars: + _env_type: util + _aws_region: eu-west-1 + _aws_resource_name: deploy-acme-com + _profile: deploy +``` + +This will create or find an EC2 instance with the AWS tag of `Name: deploy-acme-com` which will be in an inventory group called `_deploy_acme_com`. + +@TODO provide example infra repo for use with the AWS EC2 inventory plugin. diff --git a/plays/deploy/aws_deploy.yml b/plays/deploy/aws_deploy.yml new file mode 100644 index 000000000..2c3380008 --- /dev/null +++ b/plays/deploy/aws_deploy.yml @@ -0,0 +1,7 @@ +--- +# Creates hosts entry so play isn't skipped. +- ansible.builtin.import_playbook: ../aws_ec2_standalone/launch.yml +# Spins up the instance. +- ansible.builtin.import_playbook: ../aws_ec2_standalone/ec2.yml +# Actual provisioning +- ansible.builtin.import_playbook: provision.yml diff --git a/plays/deploy/provision.yml b/plays/deploy/provision.yml new file mode 100644 index 000000000..4d4baac7e --- /dev/null +++ b/plays/deploy/provision.yml @@ -0,0 +1,22 @@ +--- +- hosts: "{{ _provision_host | default('_' + _aws_resource_name | regex_replace('-', '_')) }}" + become: true + + vars: + _init: + vars_dirs: + - "{{ _ce_provision_build_dir }}/vars/_global" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/_common" + - "{{ _ce_provision_build_dir }}/vars/_regions/{{ _aws_region }}/{{ _env_type }}" + - "{{ _ce_provision_build_dir }}/vars/{{ _aws_resource_name }}" + _profile: deploy + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _meta/aws_client_instance + - ansible.builtin.import_role: + name: _meta/deploy + - ansible.builtin.import_role: + name: _exit diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 5c2d85d42..5a106ce4c 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -13,6 +13,12 @@ _ce_ansible_timer_name: upgrade_ansible #_aws_profile: example # boto profile name #_aws_region: eu-west-1 +# AWS tags +_aws_resource_name: "" # Name +# _profile: web_server # Profile +# _env_type: dev # Env +# _infra_name: acme # Infra + _init: # A list of var directories to include. We only support .yml extensions. # This is used to detect if the playbook must re-run or not. diff --git a/roles/debian/firewall_config/defaults/main.yml b/roles/debian/firewall_config/defaults/main.yml index 7c9193af6..4ccc5600f 100644 --- a/roles/debian/firewall_config/defaults/main.yml +++ b/roles/debian/firewall_config/defaults/main.yml @@ -13,6 +13,7 @@ firewall_config: rulesets: - ssh_open - web_open + - common_network # rule always needs to be last so the DROP rules in the OUTPUT chain get applied at the end # Ruleset definitions # Permitted rule lists @@ -43,6 +44,29 @@ firewall_config: letsencrypt: firewall_allowed_tcp_ports: - "80" + # Standard ports for Prometheus outbound rules to allow scraping of exporters + prometheus_server_scraping: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 9100 -j ACCEPT" # allow scraping node exporter + - "iptables -A OUTPUT -p tcp --dport 9101 -j ACCEPT" # allow scraping process exporter + - "iptables -A OUTPUT -p tcp --dport 9093 -j ACCEPT" # allow posting to alertmanager + - "iptables -A OUTPUT -p tcp --dport 9115 -j ACCEPT" # allow scraping blackbox exporter + # Commonly required outbound ports for PHP web servers + common_web: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p udp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT" # allow MySQL + # Recommended general firewall settings + common_network: + firewall_additional_rules: + - "iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A INPUT -p icmp --icmp-type 128 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT" # ICMP ping out + - "iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" # established connections out + - "iptables -A OUTPUT -o lo -j ACCEPT" # allow all local traffic + - "iptables -A OUTPUT -p tcp --dport 1025:65535 -j DROP" # block high port tcp traffic outbound + - "iptables -A OUTPUT -p udp --dport 1025:65535 -j DROP" # block high port udp traffic outbound ossec: firewall_allowed_udp_ports: - "1514" From 537b60ef7f2c6aee78b0d528bd2afcf362254612 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 10:40:49 +0100 Subject: [PATCH 313/331] Documentation update - 2.x (#2208) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip From bf90d80c20bb34edc774b9459779acd6a4e29650 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Jan 2025 16:34:09 +0100 Subject: [PATCH 314/331] Enhanced quick start pr 2.x (#2211) * Added more generic firewall rules that might be useful. * Added an update step to the installer. * Providing some default playbooks people can use in ce-provision. * Slight docs tweak for showtime! * Modernising hostname handling to use systemd. * Switching default key type to ED25519 because it is supported by both Debian and GitLab. * Switching to ED25519 SSH keys and adding hostname and hosts handling to installer. * Adding iproute2 package so hosts role works. * Also need an apt-get update in CI. * Change of plan, stop hosts running in containers. * Small inline docs change. * Providing sane defaults for VPC security groups. * Making key name dynamic in the installer. * Error in variable namespace. --- install.sh | 36 ++++-- roles/_init/defaults/main.yml | 1 + roles/aws/aws_ami/defaults/main.yml | 2 +- roles/aws/aws_vpc/defaults/main.yml | 133 ++++++++++++++++++-- roles/debian/ce_deploy/defaults/main.yml | 6 +- roles/debian/ce_provision/defaults/main.yml | 6 +- roles/debian/hosts/tasks/main.yml | 12 +- roles/debian/hosts/templates/hostname.j2 | 1 - 8 files changed, 160 insertions(+), 37 deletions(-) delete mode 100644 roles/debian/hosts/templates/hostname.j2 diff --git a/install.sh b/install.sh index 94fc15548..8ecf56643 100755 --- a/install.sh +++ b/install.sh @@ -15,6 +15,7 @@ usage(){ /usr/bin/echo '--user: Ansible controller user (default: controller)' /usr/bin/echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 2.x)' + /usr/bin/echo '--hostname: the server hostname to set (default: depends on system or provider)' /usr/bin/echo '--no-firewall: skip installing iptables with ports 22, 80 and 443 open' /usr/bin/echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' /usr/bin/echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' @@ -43,6 +44,10 @@ parse_options(){ shift CONFIG_REPO_BRANCH="$1" ;; + "--hostname") + shift + SERVER_HOSTNAME="$1" + ;; "--gitlab") shift GITLAB_URL="$1" @@ -83,11 +88,6 @@ SERVER_HOSTNAME=$(hostname) # Parse options. parse_options "$@" -# Set the hostname for Git email to our GitLab URL, if set. -if [ "$GITLAB_URL" != "no" ]; then - SERVER_HOSTNAME=$GITLAB_URL -fi - # Check root user. if [ "$(id -u)" -ne 0 ] then echo "Please run this script as root or using sudo!" @@ -175,6 +175,10 @@ fi vars_files: - vars.yml tasks: + - name: Configure system hosts file. + ansible.builtin.import_role: + name: debian/hosts + when: not is_local - name: Install ce-provision. ansible.builtin.import_role: name: debian/ce_provision @@ -188,6 +192,10 @@ EOL _domain_name: ${SERVER_HOSTNAME} _ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data _ce_provision_username: ${CONTROLLER_USER} +hosts_hostname: ${SERVER_HOSTNAME} +hosts_entries: + - name: ${SERVER_HOSTNAME} + ip: 127.0.0.1 ce_provision: venv_path: /home/${CONTROLLER_USER}/ce-python venv_command: /usr/bin/python3 -m venv @@ -197,8 +205,8 @@ ce_provision: new_user: ${CONTROLLER_USER} username: ${CONTROLLER_USER} ssh_key_bits: "521" - ssh_key_type: ecdsa - public_key_name: id_ecdsa.pub + ssh_key_type: ed25519 + public_key_name: id_ed25519.pub own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "${VERSION}" own_repository_skip_checkout: false @@ -231,7 +239,7 @@ user_provision: groups: - bypass2fa ssh_keys: - - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/id_ecdsa.pub') }}" + - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/' + ce_provision.public_key_name) }}" ssh_private_keys: [] known_hosts: [] known_hosts_hash: true @@ -296,6 +304,10 @@ if [ "$GITLAB_URL" != "no" ]; then vars_files: - vars.yml tasks: + - name: Configure system hosts file. + ansible.builtin.import_role: + name: debian/hosts + when: not is_local - name: Install GitLab Runner. ansible.builtin.import_role: name: debian/gitlab_runner @@ -307,6 +319,12 @@ EOL /bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL --- _domain_name: ${SERVER_HOSTNAME} +hosts_hostname: ${SERVER_HOSTNAME} +hosts_entries: + - name: ${SERVER_HOSTNAME} + ip: 127.0.0.1 + aliases: + - ${GITLAB_URL} gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=\${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey @@ -341,7 +359,7 @@ gitlab: private_projects: true unicorn_worker_processes: 2 puma_worker_processes: 2 - initial_root_password: "Ch@ng3m3" + initial_root_password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits') }}" ldap: enable: false mattermost: false diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 5a106ce4c..cfee2615b 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -12,6 +12,7 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 +_aws_vpc_cidr_base: 10.0 # AWS tags _aws_resource_name: "" # Name diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index c828adaec..64908bacf 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -9,7 +9,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" - public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated + public_key_name: id_ed25519.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_vpc/defaults/main.yml b/roles/aws/aws_vpc/defaults/main.yml index cc2ae84be..0642713d2 100644 --- a/roles/aws/aws_vpc/defaults/main.yml +++ b/roles/aws/aws_vpc/defaults/main.yml @@ -2,20 +2,129 @@ aws_vpc: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" name: example-vpc-2 - cidr_block: "10.0.0.0/16" + cidr_block: "{{ _aws_vpc_cidr_base }}.0.0/16" # ipv6_cidr: true # uncomment to request an Amazon-provided IPv6 CIDR block with /56 prefix length. tags: {} #Type: "util" state: present assign_instances_ipv6: false - security_groups: - [] - # - name: web - open - # description: Allow all incoming traffic on ports 80 and 443 - # rules: - # - proto: tcp - # ports: - # - 80 - # - 443 - # cidr_ip: 0.0.0.0/0 - # rule_desc: Allow all incoming traffic on ports 80 and 443 + # List of security groups to create in this VPC, see below for example structure. + security_groups: "{{ _security_groups_defaults }}" + +# Load common security groups below into a list to use with the aws_vpc.security_groups variable. +_security_groups_defaults: + - "{{ _common_security_groups.common_network }}" + - "{{ _common_security_groups.ssh_open }}" + - "{{ _common_security_groups.web_open }}" + - "{{ _common_security_groups.mailpit_open }}" + - "{{ _common_security_groups.ftp_open }}" + - "{{ _common_security_groups.sftp_open }}" + - "{{ _common_security_groups.ossec }}" + - "{{ _common_security_groups.openvpn }}" + +# Here is a set of example and commonly required security groups. +# This closely follows our common firewall rules in roles/debian/firewall_config. +_common_security_groups: + common_network: + name: common_network + description: Common network access configuration for all servers. + rules: + - proto: icmp + from_port: 8 # ICMP type (8 is IPv4 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ip: 0.0.0.0/0 + rule_desc: Allow ICMP IPv4 ping. + - proto: icmp + from_port: 128 # ICMP type (128 is IPv6 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ipv6: "::/0" + rule_desc: Allow ICMP IPv6 ping. + - proto: tcp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" # see _init - 10.0.0.0/16 by default + ports: + - 0-65535 + rule_desc: Allow all tcp traffic on internal network. + - proto: udp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" + ports: + - 0-65535 + rule_desc: Allow all udp traffic on internal network. + rules_egress: + - proto: tcp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + - 2049 + rule_desc: Allow ports 1-1024 and 2049 for NFS over tcp as standard. + - proto: udp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + rule_desc: Allow ports 1-1024 over udp as standard. + ssh_open: + name: ssh_open + description: Allow all incoming traffic on port 22. + rules: + - proto: tcp + ports: + - 22 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 22. + web_open: + name: web_open + description: Allow all incoming web traffic on ports 80 and 443. + rules: + - proto: tcp + ports: + - 80 + - 443 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + mailpit_open: + name: mailpit_open + description: Allow all incoming traffic on port 8025 for Mailpit. + rules: + - proto: tcp + ports: + - 8025 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 8025. + ftp_open: + name: ftp_open + description: Allow all incoming traffic on ports 20 and 21 for FTP. + rules: + - proto: tcp + ports: + - 20 + - 21 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + sftp_open: + name: sftp_open + description: Allow all incoming traffic on ports 989 and 990 for sFTP. + rules: + - proto: tcp + ports: + - 898 + - 990 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + ossec: + name: ossec + description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. + rules: + - proto: udp + ports: + - 1514 + - 1515 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + openvpn: + name: openvpn + description: Allow all incoming traffic on port 1194 for OpenVPN. + rules: + - proto: udp + ports: + - 1194 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on port 1194. diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index b4af9748b..c54c30192 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -12,9 +12,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index a0048a3bf..121244dee 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -12,9 +12,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/hosts/tasks/main.yml b/roles/debian/hosts/tasks/main.yml index fc8d9b80f..6d902fbfc 100644 --- a/roles/debian/hosts/tasks/main.yml +++ b/roles/debian/hosts/tasks/main.yml @@ -23,14 +23,10 @@ path: "{{ cloud_init_file.stat.path }}" regexp: "manage_etc_hosts: true" line: "manage_etc_hosts: false" - when: - - cloud_init_file.stat.exists + when: cloud_init_file.stat.exists - name: Set system hostname. - ansible.builtin.template: - src: hostname.j2 - dest: /etc/hostname - owner: root - group: root - mode: 0644 + ansible.builtin.hostname: + name: "{{ hosts_hostname }}" + use: systemd when: hosts_hostname | length > 0 diff --git a/roles/debian/hosts/templates/hostname.j2 b/roles/debian/hosts/templates/hostname.j2 deleted file mode 100644 index 6c9f6f6d9..000000000 --- a/roles/debian/hosts/templates/hostname.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ hosts_hostname }} From 5de8638da417be75c8b0e1497d45e1b68fe6b6c0 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Jan 2025 18:01:15 +0100 Subject: [PATCH 315/331] Publish docs pr 2.x (#2216) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. * Very convoluted way to have a dynamic head branch in an 'if' expression. * Need a 'needs' line to make sure context is set first. * Greg - testing updating markdown docs. * Need to push markdown docs to the docs branches. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 5 +- docs/roles/_init.md | 7 + docs/roles/aws/aws_ami.md | 2 +- docs/roles/aws/aws_vpc.md | 133 ++++++++++++++++-- docs/roles/debian/ce_deploy.md | 6 +- docs/roles/debian/ce_provision.md | 6 +- docs/roles/debian/firewall_config.md | 24 ++++ roles/_init/README.md | 7 + roles/aws/aws_ami/README.md | 2 +- roles/aws/aws_vpc/README.md | 133 ++++++++++++++++-- roles/debian/ce_deploy/README.md | 6 +- roles/debian/ce_provision/README.md | 6 +- roles/debian/firewall_config/README.md | 24 ++++ 13 files changed, 321 insertions(+), 40 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 6bd457aa8..11eb51aa4 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -60,8 +60,9 @@ jobs: run: | /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add - /usr/bin/git diff --quiet && git diff --staged --quiet || git commit -am "GitHub Actions - updating markdown docs - ${{ steps.date.outputs.date }}" - /usr/bin/git push + /usr/bin/git diff + /usr/bin/git diff --quiet && /usr/bin/git diff --staged --quiet || /usr/bin/git diff --staged --name-only && /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" + /usr/bin/git push origin docs-${{ github.event.pull_request.base.ref }} # Create docs pull request - name: Create documentation pull requests diff --git a/docs/roles/_init.md b/docs/roles/_init.md index e619e5656..7dd7ab3fb 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -22,6 +22,13 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 +_aws_vpc_cidr_base: 10.0 + +# AWS tags +_aws_resource_name: "" # Name +# _profile: web_server # Profile +# _env_type: dev # Env +# _infra_name: acme # Infra _init: # A list of var directories to include. We only support .yml extensions. diff --git a/docs/roles/aws/aws_ami.md b/docs/roles/aws/aws_ami.md index acc2f10e4..9ab978044 100644 --- a/docs/roles/aws/aws_ami.md +++ b/docs/roles/aws/aws_ami.md @@ -29,7 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" - public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated + public_key_name: id_ed25519.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/docs/roles/aws/aws_vpc.md b/docs/roles/aws/aws_vpc.md index a11d512ed..57ef8041c 100644 --- a/docs/roles/aws/aws_vpc.md +++ b/docs/roles/aws/aws_vpc.md @@ -10,23 +10,132 @@ aws_vpc: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" name: example-vpc-2 - cidr_block: "10.0.0.0/16" + cidr_block: "{{ _aws_vpc_cidr_base }}.0.0/16" # ipv6_cidr: true # uncomment to request an Amazon-provided IPv6 CIDR block with /56 prefix length. tags: {} #Type: "util" state: present assign_instances_ipv6: false - security_groups: - [] - # - name: web - open - # description: Allow all incoming traffic on ports 80 and 443 - # rules: - # - proto: tcp - # ports: - # - 80 - # - 443 - # cidr_ip: 0.0.0.0/0 - # rule_desc: Allow all incoming traffic on ports 80 and 443 + # List of security groups to create in this VPC, see below for example structure. + security_groups: "{{ _security_groups_defaults }}" + +# Load common security groups below into a list to use with the aws_vpc.security_groups variable. +_security_groups_defaults: + - "{{ _common_security_groups.common_network }}" + - "{{ _common_security_groups.ssh_open }}" + - "{{ _common_security_groups.web_open }}" + - "{{ _common_security_groups.mailpit_open }}" + - "{{ _common_security_groups.ftp_open }}" + - "{{ _common_security_groups.sftp_open }}" + - "{{ _common_security_groups.ossec }}" + - "{{ _common_security_groups.openvpn }}" + +# Here is a set of example and commonly required security groups. +# This closely follows our common firewall rules in roles/debian/firewall_config. +_common_security_groups: + common_network: + name: common_network + description: Common network access configuration for all servers. + rules: + - proto: icmp + from_port: 8 # ICMP type (8 is IPv4 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ip: 0.0.0.0/0 + rule_desc: Allow ICMP IPv4 ping. + - proto: icmp + from_port: 128 # ICMP type (128 is IPv6 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ipv6: "::/0" + rule_desc: Allow ICMP IPv6 ping. + - proto: tcp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" # see _init - 10.0.0.0/16 by default + ports: + - 0-65535 + rule_desc: Allow all tcp traffic on internal network. + - proto: udp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" + ports: + - 0-65535 + rule_desc: Allow all udp traffic on internal network. + rules_egress: + - proto: tcp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + - 2049 + rule_desc: Allow ports 1-1024 and 2049 for NFS over tcp as standard. + - proto: udp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + rule_desc: Allow ports 1-1024 over udp as standard. + ssh_open: + name: ssh_open + description: Allow all incoming traffic on port 22. + rules: + - proto: tcp + ports: + - 22 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 22. + web_open: + name: web_open + description: Allow all incoming web traffic on ports 80 and 443. + rules: + - proto: tcp + ports: + - 80 + - 443 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + mailpit_open: + name: mailpit_open + description: Allow all incoming traffic on port 8025 for Mailpit. + rules: + - proto: tcp + ports: + - 8025 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 8025. + ftp_open: + name: ftp_open + description: Allow all incoming traffic on ports 20 and 21 for FTP. + rules: + - proto: tcp + ports: + - 20 + - 21 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + sftp_open: + name: sftp_open + description: Allow all incoming traffic on ports 989 and 990 for sFTP. + rules: + - proto: tcp + ports: + - 898 + - 990 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + ossec: + name: ossec + description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. + rules: + - proto: udp + ports: + - 1514 + - 1515 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + openvpn: + name: openvpn + description: Allow all incoming traffic on port 1194 for OpenVPN. + rules: + - proto: udp + ports: + - 1194 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on port 1194. ``` diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 743cbf8cd..51083b275 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -20,9 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 6de9e0e9b..b42f10c79 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -21,9 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/docs/roles/debian/firewall_config.md b/docs/roles/debian/firewall_config.md index 1577b0c12..d91d889f4 100644 --- a/docs/roles/debian/firewall_config.md +++ b/docs/roles/debian/firewall_config.md @@ -61,6 +61,7 @@ firewall_config: rulesets: - ssh_open - web_open + - common_network # rule always needs to be last so the DROP rules in the OUTPUT chain get applied at the end # Ruleset definitions # Permitted rule lists @@ -91,6 +92,29 @@ firewall_config: letsencrypt: firewall_allowed_tcp_ports: - "80" + # Standard ports for Prometheus outbound rules to allow scraping of exporters + prometheus_server_scraping: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 9100 -j ACCEPT" # allow scraping node exporter + - "iptables -A OUTPUT -p tcp --dport 9101 -j ACCEPT" # allow scraping process exporter + - "iptables -A OUTPUT -p tcp --dport 9093 -j ACCEPT" # allow posting to alertmanager + - "iptables -A OUTPUT -p tcp --dport 9115 -j ACCEPT" # allow scraping blackbox exporter + # Commonly required outbound ports for PHP web servers + common_web: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p udp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT" # allow MySQL + # Recommended general firewall settings + common_network: + firewall_additional_rules: + - "iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A INPUT -p icmp --icmp-type 128 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT" # ICMP ping out + - "iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" # established connections out + - "iptables -A OUTPUT -o lo -j ACCEPT" # allow all local traffic + - "iptables -A OUTPUT -p tcp --dport 1025:65535 -j DROP" # block high port tcp traffic outbound + - "iptables -A OUTPUT -p udp --dport 1025:65535 -j DROP" # block high port udp traffic outbound ossec: firewall_allowed_udp_ports: - "1514" diff --git a/roles/_init/README.md b/roles/_init/README.md index e619e5656..7dd7ab3fb 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -22,6 +22,13 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 +_aws_vpc_cidr_base: 10.0 + +# AWS tags +_aws_resource_name: "" # Name +# _profile: web_server # Profile +# _env_type: dev # Env +# _infra_name: acme # Infra _init: # A list of var directories to include. We only support .yml extensions. diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index acc2f10e4..9ab978044 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -29,7 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" - public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated + public_key_name: id_ed25519.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_vpc/README.md b/roles/aws/aws_vpc/README.md index a11d512ed..57ef8041c 100644 --- a/roles/aws/aws_vpc/README.md +++ b/roles/aws/aws_vpc/README.md @@ -10,23 +10,132 @@ aws_vpc: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" name: example-vpc-2 - cidr_block: "10.0.0.0/16" + cidr_block: "{{ _aws_vpc_cidr_base }}.0.0/16" # ipv6_cidr: true # uncomment to request an Amazon-provided IPv6 CIDR block with /56 prefix length. tags: {} #Type: "util" state: present assign_instances_ipv6: false - security_groups: - [] - # - name: web - open - # description: Allow all incoming traffic on ports 80 and 443 - # rules: - # - proto: tcp - # ports: - # - 80 - # - 443 - # cidr_ip: 0.0.0.0/0 - # rule_desc: Allow all incoming traffic on ports 80 and 443 + # List of security groups to create in this VPC, see below for example structure. + security_groups: "{{ _security_groups_defaults }}" + +# Load common security groups below into a list to use with the aws_vpc.security_groups variable. +_security_groups_defaults: + - "{{ _common_security_groups.common_network }}" + - "{{ _common_security_groups.ssh_open }}" + - "{{ _common_security_groups.web_open }}" + - "{{ _common_security_groups.mailpit_open }}" + - "{{ _common_security_groups.ftp_open }}" + - "{{ _common_security_groups.sftp_open }}" + - "{{ _common_security_groups.ossec }}" + - "{{ _common_security_groups.openvpn }}" + +# Here is a set of example and commonly required security groups. +# This closely follows our common firewall rules in roles/debian/firewall_config. +_common_security_groups: + common_network: + name: common_network + description: Common network access configuration for all servers. + rules: + - proto: icmp + from_port: 8 # ICMP type (8 is IPv4 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ip: 0.0.0.0/0 + rule_desc: Allow ICMP IPv4 ping. + - proto: icmp + from_port: 128 # ICMP type (128 is IPv6 echo) + to_port: -1 # ICMP subtype (-1 for any) + cidr_ipv6: "::/0" + rule_desc: Allow ICMP IPv6 ping. + - proto: tcp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" # see _init - 10.0.0.0/16 by default + ports: + - 0-65535 + rule_desc: Allow all tcp traffic on internal network. + - proto: udp + cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" + ports: + - 0-65535 + rule_desc: Allow all udp traffic on internal network. + rules_egress: + - proto: tcp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + - 2049 + rule_desc: Allow ports 1-1024 and 2049 for NFS over tcp as standard. + - proto: udp + cidr_ip: 0.0.0.0/0 + ports: + - 1-1024 + rule_desc: Allow ports 1-1024 over udp as standard. + ssh_open: + name: ssh_open + description: Allow all incoming traffic on port 22. + rules: + - proto: tcp + ports: + - 22 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 22. + web_open: + name: web_open + description: Allow all incoming web traffic on ports 80 and 443. + rules: + - proto: tcp + ports: + - 80 + - 443 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + mailpit_open: + name: mailpit_open + description: Allow all incoming traffic on port 8025 for Mailpit. + rules: + - proto: tcp + ports: + - 8025 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on port 8025. + ftp_open: + name: ftp_open + description: Allow all incoming traffic on ports 20 and 21 for FTP. + rules: + - proto: tcp + ports: + - 20 + - 21 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + sftp_open: + name: sftp_open + description: Allow all incoming traffic on ports 989 and 990 for sFTP. + rules: + - proto: tcp + ports: + - 898 + - 990 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + ossec: + name: ossec + description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. + rules: + - proto: udp + ports: + - 1514 + - 1515 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + openvpn: + name: openvpn + description: Allow all incoming traffic on port 1194 for OpenVPN. + rules: + - proto: udp + ports: + - 1194 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all incoming udp traffic on port 1194. ``` diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 743cbf8cd..51083b275 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -20,9 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 6de9e0e9b..b42f10c79 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -21,9 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys - ssh_key_type: ecdsa # set to rsa to create an RSA key - public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name + ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key + public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/firewall_config/README.md b/roles/debian/firewall_config/README.md index 1577b0c12..d91d889f4 100644 --- a/roles/debian/firewall_config/README.md +++ b/roles/debian/firewall_config/README.md @@ -61,6 +61,7 @@ firewall_config: rulesets: - ssh_open - web_open + - common_network # rule always needs to be last so the DROP rules in the OUTPUT chain get applied at the end # Ruleset definitions # Permitted rule lists @@ -91,6 +92,29 @@ firewall_config: letsencrypt: firewall_allowed_tcp_ports: - "80" + # Standard ports for Prometheus outbound rules to allow scraping of exporters + prometheus_server_scraping: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 9100 -j ACCEPT" # allow scraping node exporter + - "iptables -A OUTPUT -p tcp --dport 9101 -j ACCEPT" # allow scraping process exporter + - "iptables -A OUTPUT -p tcp --dport 9093 -j ACCEPT" # allow posting to alertmanager + - "iptables -A OUTPUT -p tcp --dport 9115 -j ACCEPT" # allow scraping blackbox exporter + # Commonly required outbound ports for PHP web servers + common_web: + firewall_additional_rules: + - "iptables -A OUTPUT -p tcp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p udp --dport 2049 -j ACCEPT" # allow NFS + - "iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT" # allow MySQL + # Recommended general firewall settings + common_network: + firewall_additional_rules: + - "iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A INPUT -p icmp --icmp-type 128 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" # ICMP ping in + - "iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT" # ICMP ping out + - "iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" # established connections out + - "iptables -A OUTPUT -o lo -j ACCEPT" # allow all local traffic + - "iptables -A OUTPUT -p tcp --dport 1025:65535 -j DROP" # block high port tcp traffic outbound + - "iptables -A OUTPUT -p udp --dport 1025:65535 -j DROP" # block high port udp traffic outbound ossec: firewall_allowed_udp_ports: - "1514" From fb03534e1eb950f2c9d507e4858f8ce0eec30542 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Jan 2025 18:20:11 +0100 Subject: [PATCH 316/331] Publish docs pr 2.x (#2218) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. * Very convoluted way to have a dynamic head branch in an 'if' expression. * Need a 'needs' line to make sure context is set first. * Greg - testing updating markdown docs. * Need to push markdown docs to the docs branches. * We only want staged changes. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 11eb51aa4..5b8731761 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -60,8 +60,7 @@ jobs: run: | /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add - /usr/bin/git diff - /usr/bin/git diff --quiet && /usr/bin/git diff --staged --quiet || /usr/bin/git diff --staged --name-only && /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" + /usr/bin/git diff --staged --quiet || /usr/bin/git diff --staged --name-only && /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" /usr/bin/git push origin docs-${{ github.event.pull_request.base.ref }} # Create docs pull request From 0986cb2ad3afe773dfe5d06d1cd91578070eb8d1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 18:25:37 +0100 Subject: [PATCH 317/331] Documentation update - 2.x (#2213) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip From 8de3b4551607b50be212dfe036a621b13e6747d5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Mon, 13 Jan 2025 18:33:45 +0100 Subject: [PATCH 318/331] Publish docs pr 2.x (#2220) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. * Only run when PRs are closed. * Simplifying installer script. * Separating script to build table of contents for Hugo and enhancing CI. * Forgot to add and commit changes to docs. * Adding safe directory for checked out code and changing order. * Trying to automate creating a PR instead of a commit. * Removing obsolete third party action in favour of GH CLI. * Forgot the PR body text which is required. * Moving docs head ref check to whole job, not step. * Deleting obsolete docs workflow. * Create a PR for devel and main, and better error handling. * Very convoluted way to have a dynamic head branch in an 'if' expression. * Need a 'needs' line to make sure context is set first. * Greg - testing updating markdown docs. * Need to push markdown docs to the docs branches. * We only want staged changes. * Trying to prevent false commits. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .github/workflows/ce-provision-publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 5b8731761..b87f9afe5 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -60,7 +60,7 @@ jobs: run: | /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add - /usr/bin/git diff --staged --quiet || /usr/bin/git diff --staged --name-only && /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" + /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" /usr/bin/git push origin docs-${{ github.event.pull_request.base.ref }} # Create docs pull request From e879264c86e7aacee6cd12529ca6dcc3b130d5ba Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 14 Jan 2025 19:25:18 +0100 Subject: [PATCH 319/331] Bug fixes 2.x pr 2.x (#2225) * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. --- roles/_meta/controller/meta/main.yml | 2 +- roles/_meta/deploy/meta/main.yml | 2 +- roles/debian/gitlab/defaults/main.yml | 11 ++++++----- roles/debian/gitlab/tasks/main.yml | 2 ++ 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/roles/_meta/controller/meta/main.yml b/roles/_meta/controller/meta/main.yml index 955a23613..5eb04377e 100644 --- a/roles/_meta/controller/meta/main.yml +++ b/roles/_meta/controller/meta/main.yml @@ -3,7 +3,7 @@ dependencies: - role: debian/user_provision - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - - role: aws/aws_credentials + - { role: aws/aws_credentials, when ce_provision.aws_support } - role: debian/ce_provision - role: debian/gitlab - role: debian/gitlab_runner diff --git a/roles/_meta/deploy/meta/main.yml b/roles/_meta/deploy/meta/main.yml index 4409e5701..9747fd195 100644 --- a/roles/_meta/deploy/meta/main.yml +++ b/roles/_meta/deploy/meta/main.yml @@ -4,7 +4,7 @@ dependencies: - { role: debian/ssh_server, when: ( is_local is not defined or not is_local ) } - role: _meta/common_base - role: debian/ce_deploy - - role: aws/aws_credentials + - { role: aws/aws_credentials, when: ce_deploy.aws_support } - role: debian/gitlab - role: debian/gitlab_runner - role: debian/sops diff --git a/roles/debian/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml index e2ed2ff05..ba7d1b4e5 100644 --- a/roles/debian/gitlab/defaults/main.yml +++ b/roles/debian/gitlab/defaults/main.yml @@ -11,14 +11,15 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary gitlab_route_53: state: present zone: "" # empty zone skips DNS creation - record: "{{ _domain_name }}" - type: A # change to CNAME if required - value: 1.2.3.4 # set IP if type: A and target hostname if type: CNAME + record: "gitlab.{{ _domain_name }}" + type: CNAME # change to A if required + value: "{{ _domain_name }}" # set IP if type: A and target hostname if type: CNAME aws_profile: another # Not necessarily the same as the "target" one for the server wildcard: true # Creates a matching wildcard CNAME letsencrypt: "true" # use built-in GitLab LetsEncrypt support by default letsencrypt: "true" # GitLab's built in SSL handling enabled by default @@ -77,10 +78,10 @@ gitlab: omniauth_auto_link_saml_user: "false" omniauth_block_auto_created_users: "true" omniauth_login_button_label: "Login with SAML" - omniauth_consumer_service_url: "https://{{ _domain_name }}/users/auth/saml/callback" + omniauth_consumer_service_url: "https://gitlab.{{ _domain_name }}/users/auth/saml/callback" omniauth_saml_cert_fingerprint: "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" # fingerprint of the SAML server's certificate omniauth_saml_endpoint_url: https://login.example.com/simplesaml/saml2/idp/SSOService.php # typical endpoint if you followed the SimpleSAMLphp QuickStart - https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html - omniauth_saml_entity_id: "{{ _domain_name }}" # can be any string, typically just the domain name + omniauth_saml_entity_id: "gitlab.{{ _domain_name }}" # can be any string, typically just the domain name omniauth_saml_attribute_statements: "uid: ['uid']" # typical basic set-up if your SAML authsource is OpenLDAP # Other services prometheus: "true" # enable/disable built-in Prometheus diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index 00b55e162..766ec8097 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -96,6 +96,7 @@ - name: Stop Gitlab. ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl stop + when: gitlab.force_stop - name: Reconfigure Gitlab. ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl reconfigure @@ -126,6 +127,7 @@ - name: Ensure GitLab is started. ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl start + when: gitlab.force_stop # @TODO - this task fails in CI with GitHub Actions because PostGreSQL isn't running - name: Run the GitLab configuration script for config that cannot be set in gitlab.rb. From 2ad05bbbd495cd63834adaf37bee0db5b4719762 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 14 Jan 2025 19:46:29 +0100 Subject: [PATCH 320/331] Bug fixes 2.x pr 2.x (#2229) * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. --- roles/_meta/controller/meta/main.yml | 2 -- roles/_meta/deploy/meta/main.yml | 2 -- roles/debian/pam_ldap/tasks/main.yml | 5 +++++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/_meta/controller/meta/main.yml b/roles/_meta/controller/meta/main.yml index 5eb04377e..a876c8c89 100644 --- a/roles/_meta/controller/meta/main.yml +++ b/roles/_meta/controller/meta/main.yml @@ -9,5 +9,3 @@ dependencies: - role: debian/gitlab_runner - role: debian/sops - role: debian/gpg_key - - role: debian/pam_ldap - - role: debian/pam_linotp diff --git a/roles/_meta/deploy/meta/main.yml b/roles/_meta/deploy/meta/main.yml index 9747fd195..cc6ce64c2 100644 --- a/roles/_meta/deploy/meta/main.yml +++ b/roles/_meta/deploy/meta/main.yml @@ -9,5 +9,3 @@ dependencies: - role: debian/gitlab_runner - role: debian/sops - role: debian/gpg_key - - role: debian/pam_ldap - - role: debian/pam_linotp diff --git a/roles/debian/pam_ldap/tasks/main.yml b/roles/debian/pam_ldap/tasks/main.yml index c66ba85f7..b2a4de250 100644 --- a/roles/debian/pam_ldap/tasks/main.yml +++ b/roles/debian/pam_ldap/tasks/main.yml @@ -5,6 +5,11 @@ state: present update_cache: true +- name: Create LDAP config directory. + ansible.builtin.file: + path: /etc/ldap + state: directory + - name: Create certificate directory. ansible.builtin.file: path: /etc/ldap/ssl From 858de799dba82a2db18fd2a20bb985a68885b449 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 14 Jan 2025 20:02:06 +0100 Subject: [PATCH 321/331] Documentation update - 2.x (#2226) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… * Catching docs-2.x up with 2.x (#2223) * Publish docs pr 2.x (#2193) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. … --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip From a81e2d12d6780daf24530040cf8478955d9e39d6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 12:26:07 +0100 Subject: [PATCH 322/331] Bug fixes 2.x pr 2.x (#2231) * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. --- .github/workflows/ce-provision-publish-docs.yml | 1 + roles/aws/aws_credentials/defaults/main.yml | 2 +- roles/aws/aws_provision_ec2_keypair/defaults/main.yml | 1 + roles/aws/aws_provision_ec2_keypair/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index b87f9afe5..89a446756 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,6 +58,7 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | + /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" diff --git a/roles/aws/aws_credentials/defaults/main.yml b/roles/aws/aws_credentials/defaults/main.yml index 8e58eb78d..80a5430fe 100644 --- a/roles/aws/aws_credentials/defaults/main.yml +++ b/roles/aws/aws_credentials/defaults/main.yml @@ -2,7 +2,7 @@ aws_credentials: - user: ce-dev profiles: - - name: profile1 + - name: profile1 # profiles should never contain hyphens access_key_id: XXX secret_access_key: XXXX - name: example diff --git a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml index 51e053f91..62300898b 100644 --- a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml +++ b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml @@ -3,3 +3,4 @@ aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" + key_type: "{{ ce_provision.ssh_key_type }}" # defaults to ed25519 in the ce_provision role, set to rsa to or ecdsa as necessary diff --git a/roles/aws/aws_provision_ec2_keypair/tasks/main.yml b/roles/aws/aws_provision_ec2_keypair/tasks/main.yml index a0c5124d7..81de64d72 100644 --- a/roles/aws/aws_provision_ec2_keypair/tasks/main.yml +++ b/roles/aws/aws_provision_ec2_keypair/tasks/main.yml @@ -2,6 +2,6 @@ - name: Create EC2 key pair. amazon.aws.ec2_key: name: "{{ aws_provision_ec2_keypair.key_name }}" - key_material: "{{ lookup('file', '/home/{{ ce_provision.username }}/.ssh/id_rsa.pub') }}" + key_material: "{{ lookup('file', '/home/{{ ce_provision.username }}/.ssh/id_{{ aws_provision_ec2_keypair.key_type }}.pub') }}" profile: "{{ aws_provision_ec2_keypair.aws_profile }}" region: "{{ aws_provision_ec2_keypair.region }}" From 5096fa98283503a8edcf0c97ee6d63bbd1dcaf31 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 13:12:13 +0100 Subject: [PATCH 323/331] Bug fixes 2.x pr 2.x (#2233) * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. * Adding a git fetch before the merge in docs publishing. * Using the safer _ce_provision_username var in AWS key role. --- .github/workflows/ce-provision-publish-docs.yml | 1 + roles/aws/aws_provision_ec2_keypair/defaults/main.yml | 4 ++-- roles/aws/aws_provision_ec2_keypair/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 89a446756..f2c56fd7b 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,6 +58,7 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | + /usr/bin/git fetch origin 2.x /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add diff --git a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml index 62300898b..efd4af9c0 100644 --- a/roles/aws/aws_provision_ec2_keypair/defaults/main.yml +++ b/roles/aws/aws_provision_ec2_keypair/defaults/main.yml @@ -2,5 +2,5 @@ aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" - key_type: "{{ ce_provision.ssh_key_type }}" # defaults to ed25519 in the ce_provision role, set to rsa to or ecdsa as necessary + key_name: "{{ _ce_provision_username }}@{{ ansible_hostname }}" + key_type: ed25519 # defaults to ed25519 as used in the ce_provision role, set to rsa to or ecdsa as necessary diff --git a/roles/aws/aws_provision_ec2_keypair/tasks/main.yml b/roles/aws/aws_provision_ec2_keypair/tasks/main.yml index 81de64d72..4eb8f2c98 100644 --- a/roles/aws/aws_provision_ec2_keypair/tasks/main.yml +++ b/roles/aws/aws_provision_ec2_keypair/tasks/main.yml @@ -2,6 +2,6 @@ - name: Create EC2 key pair. amazon.aws.ec2_key: name: "{{ aws_provision_ec2_keypair.key_name }}" - key_material: "{{ lookup('file', '/home/{{ ce_provision.username }}/.ssh/id_{{ aws_provision_ec2_keypair.key_type }}.pub') }}" + key_material: "{{ lookup('file', '/home/{{ _ce_provision_username }}/.ssh/id_{{ aws_provision_ec2_keypair.key_type }}.pub') }}" profile: "{{ aws_provision_ec2_keypair.aws_profile }}" region: "{{ aws_provision_ec2_keypair.region }}" From 24b4a9b9e092b1fefab4861a465275efbb776f1a Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 13:52:26 +0100 Subject: [PATCH 324/331] Bug fixes 2.x pr 2.x (#2235) * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. * Adding a git fetch before the merge in docs publishing. * Using the safer _ce_provision_username var in AWS key role. * Adding the --allow-unrelated-histories flag to git merge in CI. * Commenting out some of the AWS ACL rulesets to leave them as examples. --- .../workflows/ce-provision-publish-docs.yml | 2 +- roles/aws/aws_acl/defaults/main.yml | 52 +++++++++++-------- 2 files changed, 31 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index f2c56fd7b..232a71d99 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -59,7 +59,7 @@ jobs: - name: Build and commit table of contents and README files back to the repo run: | /usr/bin/git fetch origin 2.x - /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} + /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 2757cffc6..d74402f89 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -10,29 +10,37 @@ aws_acl: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place - ip_sets: - - rule_name: "Allowed-IPs-rule" - set_name: "Allowed-IPs-set" - description: "List of IPs to whitelist - Ansible managed" - action: allow - priority: 1 - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - country_codes: - - name: "allowed-countries" - action: allow - priority: 0.2 - list: - - GB - - HR - - name: "blocked-countries" - action: block - priority: 8 - list: - - RU - - CN + ip_sets: [] +# Example IP set to allow a list of safe IPs +# - rule_name: "Allowed-IPs-rule" +# set_name: "Allowed-IPs-set" +# description: "List of IPs to safelist - Ansible managed" +# action: allow +# priority: 1 +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 30.30.30.0/24 +# Example country code ruleset allowing one set of countries and blocking another +# country_codes: +# - name: "allowed-countries" +# action: allow +# priority: 0.2 +# list: +# - GB +# - HR +# - FR +# - ES +# - UY +# - JP +# - name: "blocked-countries" +# action: block +# priority: 8 +# list: +# - RU +# - CN regular_rules: + # Commonly required Drupal rule to allow Panels to function - name: allow_panels action: allow statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) From 13fd86a793ba4ef25498e84d1c73499a13f273ab Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 15:40:35 +0100 Subject: [PATCH 325/331] Bug fixes 2.x pr 2.x (#2240) * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. * Adding a git fetch before the merge in docs publishing. * Using the safer _ce_provision_username var in AWS key role. * Adding the --allow-unrelated-histories flag to git merge in CI. * Commenting out some of the AWS ACL rulesets to leave them as examples. * Trying to pull the docs branch to ensure it is up to date. * Adding keyserver.ubuntu.com to the key servers we publish to by default in gpg_key. --- .github/workflows/ce-provision-publish-docs.yml | 1 + roles/debian/gpg_key/defaults/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 232a71d99..1c9653eee 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,6 +58,7 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | + /usr/bin/git pull origin docs-2.x /usr/bin/git fetch origin 2.x /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh diff --git a/roles/debian/gpg_key/defaults/main.yml b/roles/debian/gpg_key/defaults/main.yml index dccbcf101..cd3453d7a 100644 --- a/roles/debian/gpg_key/defaults/main.yml +++ b/roles/debian/gpg_key/defaults/main.yml @@ -1,5 +1,6 @@ --- gpg_key_servers: + - hkps://keyserver.ubuntu.com - hkps://pgp.mit.edu - hkps://keys.openpgp.org gpg_key: From fdf1e2260c2f356d3b837feb8692e236db523b60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:43:47 +0100 Subject: [PATCH 326/331] Updating-descriptions (#2237) * Updating-descriptions * Changing-Read-me --------- Co-authored-by: Matej Stajduhar --- docs/_Sidebar.md | 22 +++++----- docs/roles/_init.md | 2 +- roles/_init/README.md | 2 +- roles/_init/defaults/main.yml | 2 +- roles/aws/aws_acl/README.md | 77 ++++++++++++++++++++++++----------- 5 files changed, 68 insertions(+), 37 deletions(-) diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 540826797..f6637bbc3 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -3,18 +3,11 @@ - [Install](install) - [Usage](scripts) - [Roles](roles) - - [Init role](/roles/_init) - - ["Meta" roles that group individual roles together.](/roles/_meta) - - [AWS account](/roles/_meta/aws_account) - - [AWS client](/roles/_meta/aws_client_instance) - - [AWS region](/roles/_meta/aws_region) - - [\_overrides.](/roles/_overrides) - [AWS Infrastructure](/roles/aws) - - [AWS Network Info](/roles/aws/_aws_network_info) - [AWS ACL](/roles/aws/aws_acl) - [AWS Certificate Manager](/roles/aws/aws_acm) - - [AWS AMI](/roles/aws/aws_ami) - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup) + - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) - [AWS Backup Validation](/roles/aws/aws_backup_validation) - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution) @@ -27,6 +20,7 @@ - [AWS ElastiCache](/roles/aws/aws_elasticache) - [AWS IAM EC2](/roles/aws/aws_iam_role) - [AWS IAM SAML](/roles/aws/aws_iam_saml) + - [AWS Network Info](/roles/aws/_aws_network_info) - [AWS OpenSearch](/roles/aws/aws_opensearch) - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair) - [AWS RDS](/roles/aws/aws_rds) @@ -40,8 +34,8 @@ - [VPC](/roles/aws/aws_vpc_subnet) - [Contributed roles](/roles/contrib) - [Debian Packages](/roles/debian) - - [Ansible](/roles/debian/ansible) - [Ansible Galaxy](/roles/debian/ansible_galaxy) + - [Ansible](/roles/debian/ansible) - [APACHE](/roles/debian/apache) - [Apparmor](/roles/debian/apparmor) - [Extra packages](/roles/debian/apt_extra_packages) @@ -81,10 +75,10 @@ - [PAM LinOTP](/roles/debian/pam_linotp) - [PHP terminal client](/roles/debian/php-cli) - [PHP common components](/roles/debian/php-common) - - [PHP-FPM](/roles/debian/php-fpm) - [PHP Composer](/roles/debian/php_composer) - - [PHP XDebug](/roles/debian/php_xdebug) + - [PHP-FPM](/roles/debian/php-fpm) - [phpMyAdmin](/roles/debian/phpmyadmin) + - [PHP XDebug](/roles/debian/php_xdebug) - [Postfix](/roles/debian/postfix) - [Process Manager](/roles/debian/process_manager) - [Python Boto](/roles/debian/python_boto) @@ -101,3 +95,9 @@ - [User Ansible](/roles/debian/user_ansible) - [varnish_config](/roles/debian/varnish_config) - [wazuh](/roles/debian/wazuh) + - [Init role](/roles/_init) + - ["Meta" roles that group individual roles together.](/roles/_meta) + - [AWS account](/roles/_meta/aws_account) + - [AWS client](/roles/_meta/aws_client_instance) + - [AWS region](/roles/_meta/aws_region) + - [\_overrides.](/roles/_overrides) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 7dd7ab3fb..d8183a4c6 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -22,7 +22,7 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 -_aws_vpc_cidr_base: 10.0 +_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client # AWS tags _aws_resource_name: "" # Name diff --git a/roles/_init/README.md b/roles/_init/README.md index 7dd7ab3fb..d8183a4c6 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -22,7 +22,7 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 -_aws_vpc_cidr_base: 10.0 +_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client # AWS tags _aws_resource_name: "" # Name diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index cfee2615b..017f953ff 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -12,7 +12,7 @@ _ce_ansible_timer_name: upgrade_ansible # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 -_aws_vpc_cidr_base: 10.0 +_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client # AWS tags _aws_resource_name: "" # Name diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index f802c46a2..3dbfc823e 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -1,6 +1,31 @@ # AWS ACL Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB). +## Default variables to create WAF +If the var is list type, it will go through the process of creating and assignng rules to WAF +aws_acl.yml needs to be located in global or regional vars + +If you don't need one of the rules on the WAF, we can just remove it from the "rules" + +Since IP set is a thing under WAF, we have option to create, update and use existing set: + +IP set with a list of IPs will be marked as a thing that needs to be created/updated + +If its defined only with rule_name, set_name, action and priority (leaving the list empty) it will just search existing set and assign it to WAF + +## Default variables to Assign WAF to CF/ALB +If the var is dict type, it will go through the process assignng WAF to CF/ALB +aws_acl.yml needs to be located in resource vars + +Make sure to use "us-east-1" for CLOUDFRONT scope +or define region where the ALB is located with REGIONAL scope +```yaml +--- +aws_acl: + name: "{{ _infra_name }}_main_acl" + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" +``` @@ -19,28 +44,35 @@ aws_acl: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place - ip_sets: - - rule_name: "Allowed-IPs-rule" - set_name: "Allowed-IPs-set" - description: "List of IPs to whitelist - Ansible managed" - action: allow - priority: 1 - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - country_codes: - - name: "allowed-countries" - action: allow - priority: 0.2 - list: - - GB - - HR - - name: "blocked-countries" - action: block - priority: 8 - list: - - RU - - CN + ip_sets: [] +# Example IP set to allow a list of safe IPs +# - rule_name: "Allowed-IPs-rule" +# set_name: "Allowed-IPs-set" +# description: "List of IPs to safelist - Ansible managed" +# action: allow +# priority: 1 +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 30.30.30.0/24 +# Example country code ruleset allowing one set of countries and blocking another +# country_codes: +# - name: "allowed-countries" +# action: allow +# priority: 0.2 +# list: +# - GB +# - HR +# - FR +# - ES +# - UY +# - JP +# - name: "blocked-countries" +# action: block +# priority: 8 +# list: +# - RU +# - CN regular_rules: - name: allow_panels action: allow @@ -100,5 +132,4 @@ aws_acl: priority: 13 ``` - From 02d550cde31eed2874fc44ffee6363ca59c61d1d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 19:30:33 +0100 Subject: [PATCH 327/331] Bug fixes 2.x pr 2.x (#2242) * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. * Adding a git fetch before the merge in docs publishing. * Using the safer _ce_provision_username var in AWS key role. * Adding the --allow-unrelated-histories flag to git merge in CI. * Commenting out some of the AWS ACL rulesets to leave them as examples. * Trying to pull the docs branch to ensure it is up to date. * Adding keyserver.ubuntu.com to the key servers we publish to by default in gpg_key. * CI updates and improving SOPS role. * Swapping hard coded branch names for vars in CI. --- .github/workflows/ce-provision-publish-docs.yml | 7 +++++-- roles/debian/sops/defaults/main.yml | 2 +- roles/debian/sops/tasks/main.yml | 1 + 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index 1c9653eee..b7532a67b 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,8 +58,11 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | - /usr/bin/git pull origin docs-2.x - /usr/bin/git fetch origin 2.x + /usr/bin/git pull origin docs-${{ github.event.pull_request.base.ref }} + /usr/bin/git fetch origin ${{ github.event.pull_request.base.ref }} + /usr/bin/git checkout -b ${{ github.event.pull_request.base.ref }} + /usr/bin/git pull origin ${{ github.event.pull_request.base.ref }} + /usr/bin/git checkout docs-${{ github.event.pull_request.base.ref }} /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add diff --git a/roles/debian/sops/defaults/main.yml b/roles/debian/sops/defaults/main.yml index 969712ff6..ea24d0ff6 100644 --- a/roles/debian/sops/defaults/main.yml +++ b/roles/debian/sops/defaults/main.yml @@ -1,3 +1,3 @@ --- sops: - version: 3.7.3 # see https://github.com/mozilla/sops/releases + version: 3.9.3 # see https://github.com/mozilla/sops/releases diff --git a/roles/debian/sops/tasks/main.yml b/roles/debian/sops/tasks/main.yml index f290d2746..a1de2f71b 100644 --- a/roles/debian/sops/tasks/main.yml +++ b/roles/debian/sops/tasks/main.yml @@ -3,3 +3,4 @@ ansible.builtin.apt: deb: "https://github.com/mozilla/sops/releases/download/v{{ sops.version }}/sops_{{ sops.version }}_amd64.deb" state: present + force: true # avoids errors if newer version installed From 9ef531249a0c8c778d943f11b7b2ade6ffa53728 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 15 Jan 2025 19:40:46 +0100 Subject: [PATCH 328/331] Bug fixes 2.x pr 2.x (#2244) * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Improving GitLab vars and adding force stop feature. * Not installed aws_credentials in meta roles if AWS support disabled. * Most people will not want pam_ldap or pam_linotp, should not be in meta. * If you don't create LDAP SSL certs you might not have a /etc/ldap directory. * Adding a merge of the main branch into the docs branch to CI. * Adding comment to not use hyphens in boto profile names. * Supporting different key types to publish to AWS. * Adding a git fetch before the merge in docs publishing. * Using the safer _ce_provision_username var in AWS key role. * Adding the --allow-unrelated-histories flag to git merge in CI. * Commenting out some of the AWS ACL rulesets to leave them as examples. * Trying to pull the docs branch to ensure it is up to date. * Adding keyserver.ubuntu.com to the key servers we publish to by default in gpg_key. * CI updates and improving SOPS role. * Swapping hard coded branch names for vars in CI. * Giving up on merging 2.x - will have to try another approach. --- .github/workflows/ce-provision-publish-docs.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index b7532a67b..b87f9afe5 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,12 +58,6 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | - /usr/bin/git pull origin docs-${{ github.event.pull_request.base.ref }} - /usr/bin/git fetch origin ${{ github.event.pull_request.base.ref }} - /usr/bin/git checkout -b ${{ github.event.pull_request.base.ref }} - /usr/bin/git pull origin ${{ github.event.pull_request.base.ref }} - /usr/bin/git checkout docs-${{ github.event.pull_request.base.ref }} - /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" From 344d9a38469b70fa2e70525dbfde9292677aebbf Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 15 Jan 2025 19:47:31 +0100 Subject: [PATCH 329/331] Documentation update - 2.x (#2245) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again… * Publish docs pr devel 2.x (#2165) * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Upda… * Publish docs pr devel 2.x (#2167) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2… * Publish docs pr devel 2.x (#2169) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2170) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Making the publish docs CI work with 1.x and 2.x. --------- Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip * Publish docs pr devel 2.x (#2172) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Rem… * Publish docs pr devel 2.x (#2173) * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * … * Publish docs pr devel 2.x (#2175) * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Bug fixes 2.x pr 2.x (#1860) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * … * Publish docs pr devel 2.x (#2176) * Small-changes-on-aws-acl-and-RDS-validation (#1863) Co-authored-by: Matej Stajduhar * Updating-user-ansible-vars (#1864) * Updating user ansible vars pr 2.x (#1867) * Updating-user-ansible-vars * Fixing-syntax * add_vars_to_user_deploy_user_provision (#1869) * Disabling-general-log-mariadb (#1871) * Updating-aws_acl-role (#1873) Co-authored-by: Matej Stajduhar * r70260-rkhunter-whitelist (#1877) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aw… * Publish docs pr devel 2.x (#2178) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750) * fix(nginx): Remove default nginx dummy vhost that could clash with Varnish * Fix variable naming and comment * Implement keep_default_vhost setting * Wazuh-var-update (#1903) * Wazuh-agent-vars-more-readable (#1905) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) … * Publish docs pr devel 2.x (#2180) * Filebeat-restart-task-wazuh (#1907) * Filebeat restart task wazuh pr 2.x (#1909) * Filebeat-restart-task-wazuh * Fixing-wazuh-filebeat-restart * Adding-gawk-to-extra-packages (#1910) * Updating-filebeat-restart-task (#1913) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment f… * Publish docs pr devel 2.x (#2182) * Adding motd to exit role pr 2.x (#1915) * Fixing-backup-validation-role-plicies * Adding-parts-for-VPC-and-SG * Adding-region-to-vpc-and-subnet-tasks * Adding-region-to-vpc-and-subnet-tasks-2 * Updating-vars-for-vpc-and-subnet * Updating-vars-for-vpc-and-subnet-2 * Updating-vars-for-vpc-and-subnet-3 * Adding-json-file-for-restore-testing * Changing-user-where-json-file-is-generated * Updating-json-file-location * Updating-path-to-j2-file * Changing-force-valkue * Testing-file-creation * Testing-file-creation-via-command-task * Adding-motd-to-exit-role * Commenting-out-task-that-will-fail * Fixing-pipefail * Fixing-syntax-issue --------- Co-authored-by: Matej Stajduhar * Fixing-motd-task (#1917) * Motd-switch-egrep-with-awk (#1919) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. … * Publish docs pr devel 2.x (#2183) * Motd-task-update (#1922) * Motd-task-update * Restoring-deleted-task * Fixing motd task when running on localhost pr 2.x (#1924) * Fixing-backup-validation-role-plicies * Fixing-motd-task-when-running-on-localhost * Updating-when-statement * Adding-become-true-on-motd-update --------- Co-authored-by: Matej Stajduhar * Apt bug workaround pr 2.x (#1935) * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * apt_bug_workaround * fix_var_logic * Pushing-aws-backup-validation-role (#1944) * Pushing-aws-backup-validation-role * Fixing-linting --------- Co-authored-by: Matej Stajduhar * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring… * Publish docs pr devel 2.x (#2185) * fix(redis): Convert maxmemory setting to int before comparing (#1897) * Reverting-nginx-username (#1945) * Reverting nginx username pr 2.x (#1947) * Reverting-nginx-username * Minor-fix-nginx-username * Updating-nginx-vars (#1950) * Bug fixes 2.x pr 2.x (#1952) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a0140… * Publish docs pr devel 2.x (#2188) * r70597 new system role for ipv6 disablement (#1954) * r70597 new system role for ipv6 disablement * fix linting problem * add readme for system role * Fixing-json-file-for-restore-testing (#1956) Co-authored-by: Matej Stajduhar * Fixing json file for restore testing pr 2.x (#1957) * Fixing-json-file-for-restore-testing * Missing-coma-in-json --------- Co-authored-by: Matej Stajduhar * updating asg role to support custom rule on http and https (#1959) Co-authored-by: filip * Bug fixes 2.x pr 2.x (#1962) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Bug fixes 2.x pr 2.x (#1966) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * r70596 create swap directory (#1968) * r70596 create swap directory * remove stat check * 70325 adding asg redirect pr 2.x (#1963) * updating asg role to support custom rule on http and https * updating readme properly * updating docs for the asg role --------- Co-authored-by: filip * swapfile path and clamav exclusion (#1970) * Galaxy role pr 2.x (#1974) * Deleting obsolete Debian 10 requirements files. * Adding first pass at generic and reusable Ansible Galaxy role. * Docs update. * Updating README files. * Updating ce_provision and ce_deploy to use ansible_galaxy role. * Ansible Galaxy docs enhancement. * Cannot use _ansible in variable names, reserved. * Removing blocks for Galaxy installation, not needed. * Variables passed to Galaxy role were wrong. * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via … * Publish docs pr devel 2.x (#2192) * Bug fixes 2.x pr 2.x (#1975) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Bug fixes 2.x pr 2.x (#1978) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Bug fixes 2.x pr 2.x (#1980) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-… * Documentation update - devel-2.x (#2194) * Fixing wazuh pr 2.x (#1447) * Fixing-wazuh * Fixing-wazuh * Fixing wazuh pr 2.x (#1449) * Fixing-wazuh * Fixing-wazuh * Adding-ansible-builtin-modules * Adding-debug * Fixing-vars * Adding clamdscan package to clamav role. (#1452) * Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Fixing-wazuh-vars (#1456) * Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting * Updating-sury-keys (#1463) * Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. * Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_ro… * Documentation update - devel-2.x (#2199) * Fixing wazuh pr 2.x (#1447) * Fixing-wazuh * Fixing-wazuh * Fixing wazuh pr 2.x (#1449) * Fixing-wazuh * Fixing-wazuh * Adding-ansible-builtin-modules * Adding-debug * Fixing-vars * Adding clamdscan package to clamav role. (#1452) * Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Fixing-wazuh-vars (#1456) * Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting * Updating-sury-keys (#1463) * Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. * Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_ro… * R71115 default ldap ca cert pr devel 2.x (#2196) * Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Fixing-wazuh-vars (#1456) * Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting * Updating-sury-keys (#1463) * Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. * Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_… * Publish docs pr devel 2.x (#2202) * Updating defaults pr 2.x (#1982) * Updated-defaults-for-aws_acl-role * Removing-Identity-search --------- Co-authored-by: Matej Stajduhar * Updating defaults pr 2.x (#1984) * Updated-defaults-for-aws_acl-role * Removing-Identity-search * Removing-undefined-variable --------- Co-authored-by: Matej Stajduhar * Removing-gawk-apt (#1985) * Adding-gawk-removing-gawk-csh (#1987) * Adding-when-statement-for-assigning-instance (#1990) * Adding-when-statement-for-assigning-instance * Adding-check-prior-to-assigning-resources * Adding-check-prior-to-assigning-resources * Adding-region-to-aws-cli-command * Print-protected-resource * Adding-resource-type-definition * Resolved-conflicts * Removing-empty-line * Disabling-assigning-instance-to-restore-testing-plan --------- Co-authored-by: Matej Stajduhar * Matching-2.x-and-devel-branches (#1999) Co-authored-by: Matej Stajduhar * Adding-aws-ses-role (#2003) * Adding-aws-ses-role * Removing-python-script * Changing-domain-name * Using-variable-for-domain-name --------- Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'ru… * Publish docs pr devel 2.x (#2204) * Resolving-conflicts (#2015) Co-authored-by: Matej Stajduhar * Resolving-conflicts (#2018) Co-authored-by: Matej Stajduhar * Updating nginx ssl le roles pr 2.x (#2021) * Updating-nginx-SSL-LE-roles * Updating-nginx-vars * r70260 Option to ignore false-positive shared memory segment warnings (#2023) * Adding-wazuh-ossec-from-enigma00a (#2027) * Updating-gitlab-runner-env (#2031) * r70987-decom-vpn-guest (#2034) * r70797 nodhcp module in system role for hetzner cloud systems (#2036) * r70797 nodhcp module in system role for hetzner cloud systems * fix syntax * r70797 set pipefail to resolve linting failure * fix pipefail with bash (#2038) * fix var in templ (#2040) * R70928 adding webroot option for le ssl task and fixing looping over domains pr 2.x (#2042) * r70928-adding-webroot-option-for-LE-SSL-task-and-fixing-looping-over-domains * Changing-LE-cron * Changing-script-from-sh-to-bash --------- Co-authored-by: Matej Stajduhar * Updating-local-ossec-rules (#2045) * Updating-local-ossec-rules * Fixing-syntax * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is o… * Documentation update - devel-2.x (#2201) * Fixing wazuh pr 2.x (#1447) * Fixing-wazuh * Fixing-wazuh * Fixing wazuh pr 2.x (#1449) * Fixing-wazuh * Fixing-wazuh * Adding-ansible-builtin-modules * Adding-debug * Fixing-vars * Adding clamdscan package to clamav role. (#1452) * Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Fixing-wazuh-vars (#1456) * Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting * Updating-sury-keys (#1463) * Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. * Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_ro… * Enhanced quick start pr devel 2.x (#2206) * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline … * Enhanced quick start pr devel 2.x (#2210) * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bu… * Enhanced quick start pr devel 2.x (#2212) * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add mattermost project type * ssl on handled by nginx role (#1814) * fix mattermost nginx include (#1822) * remove unsupported nginx option (#1824) * Restore testing update pr 2.x (#1832) * Restore-testing-update * Restore-testing-update-2 --------- Co-authored-by: Matej Stajduhar * Resolving conflicts pr 2.x (#1834) * Fixing-conflicts-and-updating-docs * Fixed-conflicts * Fixed-conflicts-2 --------- Co-authored-by: Matej Stajduhar * initial commit - mattermost local backups (#1838) * r69995-Updating-vhost-for-LE-validation (#1843) Co-authored-by: Matej Stajduhar * Changing priority flexibility pr 2.x (#1841) * Changing-priority-flexibility * Changing-priority-flexibility-2 * Adding-aws-acl-to-meta * Adding-cast-to-int-for-priority --------- Co-authored-by: Matej Stajduhar * Aws acl role changes for ip set pr 2.x (#1848) * aws_acl-role-changes-for-ip-set * aws_acl-role-changes-for-ip-set-docs-update --------- Co-authored-by: Matej Stajduhar * add_php_repo_before_apt_extra_packages_task_from_common_base (#1850) * fix_opensearch_vars (#1852) * wait_timeout_for_opensearch_domain_creation (#1854) * wait_timeout_for_opensearch_domain_creation * remove trailing space * Updating-aws-acl-task (#1856) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1859) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * … * Publish docs pr devel 2.x (#2215) * Updating-wazuh-vars (#2048) * Updating-wazuh-vars * Changing-var-defaults * Removing-wrong-variables * r70260-rkhunter-tested-good-tweaks (#2051) * Fixing-LE-renew-timer (#2052) Co-authored-by: Matej Stajduhar * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handlin… * Publish docs pr devel 2.x (#2217) * R70260 rkhunter tweak portpathwhitelist pr 2.x (#2055) * r70260-rkhunter-tweak-portpathwhitelist TEST * sanitise portpath items * Updating-system-role-condition (#2056) * Updating system role condition pr 2.x (#2059) * Updating-system-role-condition * Updating-system-role-condition-v2 * r71121-tweak-nohetznerdhcp-condition (#2061) * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b… * Publish docs pr devel 2.x (#2219) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * efs_version_fix_for_old_debian_workaround (#2151) * fix(duplicity): Fix file name of include/exclude list (#2152) * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Changing sidebar paths didn't fix Hugo. * Re-removing opening slash to fix Hugo. * Fixing Sidebar merge issues. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. … * Catching docs-2.x up with 2.x (#2223) * Publish docs pr 2.x (#2193) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. … * Bug fixes 2.x pr devel 2.x (#2224) * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding ma… * Bug fixes 2.x pr devel 2.x (#2228) * Documentation for PHP in CI. * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" Th… * Documentation update - devel-2.x (#2227) * Fixing wazuh pr 2.x (#1449) * Fixing-wazuh * Fixing-wazuh * Adding-ansible-builtin-modules * Adding-debug * Fixing-vars * Adding clamdscan package to clamav role. (#1452) * Bug fixes 2.x pr 2.x (#1454) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Fixing-wazuh-vars (#1456) * Fixing wazuh vars pr 2.x (#1460) * Fixing-wazuh-vars * Fixing-linting * Updating-sury-keys (#1463) * Replace ssl certs pr 2.x (#1467) * Documentation updates. * Tidying SSL role and allowing option to replace a cert. * Bug fixes 2.x pr 2.x (#1469) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Fixing-wazuh-variables (#1473) * Adding-wazuh-path-defaults (#1480) * Adding-wazuh-path-defaults * Changing-wazuh-path-location * Updating wazuh path2x pr 2.x (#1482) * Updating-wazuh-path2x * Updating-all-roles-path * Making Varnish template handling more flexible. (#1485) * Making Varnish template handling more flexible. * Adding empty line. * Varnish config pr 2.x (#1491) * Making Varnish template handling more flexible. * Adding empty line. * Minor template changes. * Tls for postfix pr 2.x (#1493) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no s… * Bug fixes 2.x pr devel 2.x (#2230) * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml d… * Bug fixes 2.x pr devel 2.x (#2232) * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to ho… * Bug fixes 2.x pr devel 2.x (#2234) * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing n… * Catching up docs-2.x (#2236) * Publish docs pr 2.x (#2193) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Generate saml sso requirements 1x (#44) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seein… * Adding description for vars pr devel 2.x (#2238) * Setting-port-change-option-for-nginx (#1487) * Setting-port-change-option-for-nginx * Update main.yml * Update nginx.conf.j2 --------- Co-authored-by: Matej Stajduhar * Tls for postfix pr 2.x (#1498) * Some Apache docs updates. * Sorting TLS for SMTP in Postfix config. * Left bad domain in example cert paths. * Typo in template var names. * Changing-LE-default-vhost (#1500) * Handling allowing client config template for ovpn to have an FQDN. (#1502) * Openvpn client fqdn pr 2.x (#1504) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Openvpn client fqdn pr 2.x (#1506) * Supporting a fixed PHP version with a fixed port number. * Accidently re-added the old VPN role - re-deleting! * Handling allowing client config template for ovpn to have an FQDN. * Let's not assume port 1194 for ovpn. * Tweaking FQDN handling in ovpn. * Adding volume handling options for Packer. (#1508) * Packer volume handling pr 2.x (#1510) * Adding volume handling options for Packer. * Missed a comma in the template, plus adding docs. * Upading-ssl-vars (#1512) * Upading-ssl-vars * Building-docs * Fixing-ldap-role-ssl-task (#1514) * r68725-Updating-ACL-role-to-include-ALB-2x (#1518) Co-authored-by: Matej Stajduhar * Changing import_role to include_vars for vars only Wazuh roles. (#1524) * Wazuh fixes pr 2.x (#1526) * Changing import_role to include_vars for vars only Wazuh roles. * We cannot use the _domain_name var in this context. * Adding cipher to client template and fixing default push route. (#1528) * Switching key server pr 2.x (#1531) * Switching-key-server * Switching-key-server-mysql * Fixing-empty-line * Fixing-mysql-role (#1534) * Fixing-mysql-role * Fixing-linting * Fixing-broken-mysql-role (#1536) * R68801 gzip nginx cloudfront pr 2.x (#1544) * r68801-r67628-gzip-nginx-cloudfront * r68801-r67628-gzip-nginx-cloudfront * remove test tasks * remove test tasks * remove test tasks * Making Duplicity use venvs. (#1547) * Making Duplicity use venvs. * Installing venvs as the correct user. * Setting Duplicity user back to root and installing 'fasteners' in the venv. * Duplicity --s3-european-buckets option deprecated. * Ansible in init pr 2.x (#1554) * Adding new Python pip package role. * Updating NGINX and Boto3 roles to use the new Python pip role. * Moving Ansible install to _init. * Detecting connection type before installing Ansible. * The _init role should not generate SSH keys and ce_provision should optionally install a new user. * Updating documentation. * Switching to using the user_provision role for controller user in _init. * Allowing for ce_provision to install Ansible in another location. * Passing vars to the core Ansible install. * We will need linters if the system didn't install them. * Duplicity role doesn't need to ensure permissions, it's done in python_pip_packages already. * Allowing ce-provision to set a different UID from the system user. * Mailpit role pr 2.x (#1522) * Stopping NGINX dropping a proxy vhost for LE if we have a services[] list. * Adding the new Mailpit role. * Updating docs. * Variable name typo. * Adding a mailpit_open firewall rule to make life easier in containers. * Final pass of Mailpit role, now works straight away in containers. * Acm san cert replacement pr 2.x (#1561) * Minor docs update for ASG role. * Adding logic to check if extra domains are in our SAN certificate already. * Fixing SAN cert list creation. * Simplying SAN look-up, sticking to selected certificate. * Ensure we have a SAN domains list before trying to loop over it. * Moving post-create ACM actions to a block. * Adding variable to store obsolete ARN in, could be useful. * Fixing bug with ACM certificate lookup, using ARN instead of domain to avoid multiple responses. * Making Bookworm the default base distro. (#1565) * Making Bookworm the default base distro. * Updating default volume type for EC2 instances to gp3. * Allow the setting of base AMI filter for Packer in ASG role. * Updating ASG docs. * Nginx domain handling pr 2.x (#1568) * Moving SSL handling to a separate tasks file. * Making more NGINX settings available for modification. * Allowing more variables to be set for PHP-FPM and the cli. * Adding template line-break for NGINX _common config for style. * Fixing timer backup job for LDAP servers. (#1574) * Ldap server schedule fixes pr 2.x (#1578) * Fixing timer backup job for LDAP servers. * Setting path to LDAP server backup log. * Adding-ami-cleanup-role (#1580) Co-authored-by: Matej Stajduhar * Adding ami cleanup role 2.x pr 2.x (#1582) * Adding-ami-cleanup-role * adding-domain-name-in-scheduler-to-differ-if-multiple-ASGs-are-in-same-region --------- Co-authored-by: Matej Stajduhar * r68801-improve-caching-behavior-and-some-nginx-fixes (#1572) * r68801-improve-caching-behavior-and-some-nginx-fixes * r68801-improve-caching-behavior-and-some-nginx-fixes * add_header to variable * add_header to variable * remove extra ; * MOAR blocks * moving-assume-role-to-files-folder (#1588) * moving-assume-role-to-files-folder * Changing-lookup-function * Changing-lookup-function-2 --------- Co-authored-by: Matej Stajduhar * Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593) Co-authored-by: Matej Stajduhar * Adding-wait-task-prior-to-lambda-creation (#1595) Co-authored-by: Matej Stajduhar * nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590) * nginx-config-backup-and-cleaup-vhosts-on-rebuild * change module from command to unarchive * change module from command to unarchive * Adding-CF-S3-logging (#1596) Co-authored-by: Matej Stajduhar * php clear_env config option (#1599) * move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601) * Allowing multiple clamscan wrapper scripts and timers per server. (#1538) * Allowing multiple clamscan wrapper scripts and timers per server. * Updating docs.! * Giving the timer a consistent name. * r69219-Updating-Scheduler-json-target (#1603) Co-authored-by: Matej Stajduhar * R68069 alb healthchecks and nginx pr 2.x (#1609) * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-alb-healthchecks-and-nginx * r68069-nice-indentation * R69332 le cron mail alerts pr 2.x (#1605) * r69332-le-cron-mail-alerts * Changing-recipient-to-var * Changing-recipient-to-var-2 * Fixing-email-var * Fixing-email-var-2 * Aws acl defaults pr 2.x (#1614) * Fixing AWS ACL role defaults. * Docs update. * Punctuation fix! * Small-changes-to-roles (#1617) Co-authored-by: Matej Stajduhar * Updating-aws-acl-role (#1626) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1620) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Apt repo role pr 2.x (#1631) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641) * required_paramater_for_gp3_storage_type_tidying_up_and_refactoring * fix vars * fixing more vars * fixing more vars * fixing loop in template * fixing_rds_vars (#1652) * Fixing-aws-acl-condition (#1654) Co-authored-by: Matej Stajduhar * Apt repo role pr 2.x (#1661) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Bug fixes 2.x pr 2.x (#1662) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * fix(scripts): Fix git checkout to fetch any new branches (#1655) * Apt repo role pr 2.x (#1666) * First pass at APT repo role. * Adding APT autoremove task to the _exit role. * Adding systemd timer for APT key renewal. * Adding role documentation. * Adding new role to MySQL role to test. * Adding python-debian dependency for deb822 repo handling. * Removing obsolete variable check. * Defaulting the APT 'suites' value to the Ansible-detected release name. * Adding APT suite to MySQL repo installation. * Better docs and fixed a syntax error. * Fixing shell script for refreshing APT keys. * Ensuring APT clean-up in _exit always runs as root. * Fixing up MySQL config for 8.0 and tidying vars. * Adding MySQL repo to unattended upgrades. * Adding README for Docker CE, Docker Compose support and switching to apt_repository role. * Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role. * Updating docs index. * Adding Docker repo to unattended upgrades. * Updating MySQL docs. * Updating repo handling for GitLab and GitLab Runner. * Ensuring wget is installed. * wget seems more reliable than cURL for key fetching. * Updating Jenkins repo handling. * Fixing openjdk default version and updating nodejs APT repo handling. * Removing OSSEC, replaced by Wazuh. * Updating repo handling for the PAM LinOTP role. * Updating repo handling for the LHCI role. * Updating repo handling for PHP components. * Trying out a different config for Jenkins. * Updating docs. * Forgot to remove old yarn repo code. * Adding python3-debian package to python_common defaults to avoid first build failures. * Adding list format support to APT role. * Testing list format support with jenkins role. * Downloading GPG public key. * Ensuring the _apt_repository.key_filename var exists. * Fixing SSL vars in Jenkins role. * Updating repo handling for jitsi role. * Updating docs. * Bad SSL var name. * Making timer name dynamic. * Adding missing repo format var to all APT repo handling. * Updating docs. * Fixing bug where list is passed instead of dict for systemd timer. * Bug fixes 2.x pr 2.x (#1667) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Bug fixes 2.x pr 2.x (#1670) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Updating-waf-acl-role (#1672) Co-authored-by: Matej Stajduhar * Setting up proxy vhost pr 2.x (#1674) * Setting-up-proxy-vhost * Setting-up-proxy-vhost-2 * Fixing-typo (#1676) * New-version-of-aws-acl-role (#1683) * New-version-of-aws-acl-role * Fixing-jinja-linting --------- Co-authored-by: Matej Stajduhar * Updating-nginx-template (#1688) * Updating-aws_backup-to-register-iam-arn-2 (#1696) Co-authored-by: Matej Stajduhar * Updating-nginx-htpasswd-task-2 (#1698) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1702) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * r69424-Adding-resource-group-task (#1706) Co-authored-by: Matej Stajduhar * Adding lock file behaviour to ce-provision. (#1708) * Adding lock file behaviour to ce-provision. * Updating documentation. * Adding extra lock file handling for ASG EC2 machines. * Moving lock file paths to variables. * Adding docs about connection management. * Fixing placement of lock files on ASGs. * Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone). * Adding in a lock file removal if we do not replace the ASG. * Bug fixes 2.x pr 2.x (#1715) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Bug fixes 2.x pr 2.x (#1717) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Creating a ce-provision installer script. (#1724) * Installer pr 2.x (#1726) * Creating a ce-provision installer script. * Updating installation docs. * Bug fixes 2.x pr 2.x (#1730) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Installer pr 2.x (#1732) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Installing certbot in a python venv. (#1659) * Installing certbot in a python venv. * Changing default location for Python packages. * Allowing the ansible role to override venv settings. * Preventing ce_deploy from installing in an entirely separate venv by default. * Updating certbot installation to use _init venv variables. * Updating duplicity role to use _init venv variables by default. * Ordering pip docs. * Update documentation. * Fixing Ansible path in installer. * Fixing occurrences of path to venv. * Installer pr 2.x (#1735) * Creating a ce-provision installer script. * Updating installation docs. * Adding pip upgrade line and python-debian. * Updating docs. * Some minor installer bug fixes. * Bug fixes 2.x pr 2.x (#1737) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Bug fixes 2.x pr 2.x (#1738) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Fixing-ACM-SAN-behaviour (#1739) * Bug fixes 2.x pr 2.x (#1742) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Bug fixes 2.x pr 2.x (#1749) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1752) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Bug fixes 2.x pr 2.x (#1754) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Bug fixes 2.x pr 2.x (#1756) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Redoing-changes-for-aws-acl-role (#1728) * Redoing-changes-for-aws-acl-role * retrigger checks * Fixing-conflicts-4 --------- Co-authored-by: Matej Stajduhar * Remvoing-scp-extra-args-temporary (#1761) Co-authored-by: Matej Stajduhar * Bug fixes 2.x pr 2.x (#1765) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Bug fixes 2.x pr 2.x (#1767) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Bug fixes 2.x pr 2.x (#1769) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Bug fixes 2.x pr 2.x (#1771) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Managing-mime-types-nginx (#1773) * Whitelisting ce vpn ip wazuh pr 2.x (#1775) * Whitelisting-CE-VPN-IP-wazuh * Fixing-wazuh-whitelist-variable * Updating-wazuh-vars (#1777) * add community.postgresql collection and remove varnish master release (#1779) * Updating wazuh vars pr 2.x (#1781) * Updating-wazuh-vars * Updating-manager-vars * Updating wazuh vars pr 2.x (#1783) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Updating wazuh vars pr 2.x (#1785) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Updating wazuh vars pr 2.x (#1787) * Updating-wazuh-vars * Updating-manager-vars * Updating-wazuh-manager-active-response * Updating-wazuh-manager-active-response-2x * Fixing-wazuh-broken-pipeline * Tweaking-wazuh-vars * r68065 mattermost role first commit (#1789) * r68065 mattermost role first commit * fixing linting/syntax * reload systemd with ansible.builtin.systemd_service * handler for postgresql reloads * default systemd unit file for mattermost role * r68065 install python psycopg2 (#1791) * r68065 use psycopg binary package as compiling creates depsolve issues (#1793) * permissions for postgres setup (#1795) * r68065 add mattermost group before user (#1797) * Updating-duplicity (#1804) * enable mattermost systemd unit (#1810) * nginx include for mattermost (#1812) * nginx include for mattermost * add… * Bug fixes 2.x pr devel 2.x (#2239) * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes s… * Bug fixes 2.x pr devel 2.x (#2241) * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linte… * Bug fixes 2.x pr devel 2.x (#2243) * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Bug fixes 2.x pr 2.x (#2120) * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. * Update .wikis2pages.yml * Nightly builds (#2153) * Create ce-provision-test-nightly.yml * Remove nightly check from GitLab test. * Remove nightly check from web server test. * Removing branch references. * Updating installer config branch to 2.x * Removing config branch, default is fine now * Updating-wazuh-template (#2154) * Updating le template (#2156) * Updating-le-template * Updating-le-template * Reworking-nodejs-for-older-versions (#2157) * Reworking nodejs for older versions pr 2.x (#2159) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Reworking nodejs for older versions pr 2.x (#2160) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Reworking nodejs for older versions pr 2.x (#2161) * Reworking-nodejs-for-older-versions * Reworking-nodejs-for-older-versions * Fixing-nodejs-syntax * Tweaking-apt-types-nodejs * Separating-node-tasks-for-older-node * Publish docs pr 2.x (#2164) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Publish docs pr 2.x (#2166) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Adding more debug to try to find where 1.x is coming from. * Moving the hugo script check. * More debug. * Moving the config.toml debug line. * Checking the entire disk for 2.x. * Trying a find instead of a grep. * Trying to update ce-provision and ce-deploy. * Getting more debug info. * Adding --verbose to Ansible. * Trying running Hugo directly. * Changed the Hugo start script. * Trying just running 'hugo' in the right directory. * Adding ce-deploy back in with option to not run Hugo. * Updating docs to make _Sidebar.md lose the starting slash. * Publish docs pr 2.x (#2168) * Altering workflow in GitHub Actions for building wiki2pages files. * Attempting to set a hosts file for Ansible in CI. * Trying to force Ansible host. * Trying to force Ansible host. * Trying with an inventory file instead. * Running Ansible as the 'ce-dev' user. * Fixing path to playbook. * Disabling host key checking. * Disabling host checking in SSH. * Trying to use ce-dev user instead of root. * Fixing path to scripts. * Adding some debug lines to check playbooks. * Fixing workspace volume mount point. * Trying a whole new /build location. * Setting permissions on mounted disk. * Checking ce-dev dir contents. * Changing mount point to not destroy ce-dev files. * Commenting permissions line. * Fixing playbook paths. * Outputting hosts and SSH config for debug. * Checking SSH settings. * Manually creating authorized_keys. * Fixing path to set-current. * Refactoring SSH set-up and looking at set-current script. * Trying to fix mount point. * Updating paths to generated docs. * Trying to pass in path to wiki2pages. * Removing obsolete debug line. * Correcting path to script. * Changing path we execute from. * Adding first pass at docs publish step. * Repairing working dir paths. * Incorrect repo path. * Removing most of the debug lines. * Catching up devel. (#2163) * Bug fixes 2.x pr 2.x (#1395) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Ansible install perms pr 2.x (#1398) * 2.x (#1363) * Devel 2.x (#1216) * R62347 fix postfix mail delivery pr devel (#791) * GitHub Actions - Rebuilt documentation. * Need to check if is_local is defined in webserver meta dependencies. (#522) * Ce dev refactor pr 1.x (#518) * Making it easier to test with provision-target and ce-dev. * Moving the provision forcing var back to plays so _init has it. * Adding defaults vars and test script extra options. * Adding a web server test to CI. * examples string needs to be in quotes. * Making sure is_local and _ce_provision_force_play are available to the _init role. * Adding SSH keys to the provision user. * Adding a --force to the test script. * Explicitly adding vars to role. * Fixing _init behaviour and adding SSH key for web role. * Setting default PHP version to 7.4. * Looking up the generated ce-dev SSH key instead of hard-coding one. * We cannot run the ssh_server role locally, so excluding for tests of webserver role. * Trying to remove user_root.yml in case it's breaking CI. * Adding a verbose mode to the test script. * Exposing the command in the test script. * Trying hard-coded keys again. * Changing location of data dir for test containers. * Putting vars back and restricting CI to the 'web' example. * Adding backup handling to ldap_server. (#525) * Adding backup handling to ldap_server. * Improving SSL docs and handling perms for openldap and letsencrypt. * Cron user must be specified with file. * Running as root, do not need a 'sudo' in this cron. * Allowing 'gitLab' to disable Prometheus. (#530) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * GitHub Actions - Rebuilt documentation. (#526) Co-authored-by: Code Enigma CI * Prometheus pr 1.x (#533) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Add private files support for Drupal in Nginx. (#535) * Prometheus pr 1.x (#539) * Allowing 'gitLab' to disable Prometheus. * Booleans to use in jinja2 as strings must be cast as strings. * Tidying up CI and adding a GitLab test. * Fixing CI job description. * Adding a firewall config preset to open port 80 for LetsEncrypt. * Removing our unused ClamAV roles and adding a Galaxy role to common base. (#541) * Revert "Moving OSSEC pkill to use process_manager role instead. (#258)" (#544) This reverts commit 73c7bd0adb1105436e484fe794182c915b2d25dd. * Moving key servers to a variable so we can set them. (#555) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Adding a reboot option to the patching role. (#557) * Add minimal support for Aurora RDS instances (#567) * Attempt to create an RDS read replica. * Use new task to create Aurora RDS instances. * Try and fix linting issues. * Don't pass max_storage variable for Aurora instances. * Remove more storage related vars from Aurora RDS instance creation task. * Add profile and region to read replica creation. * Try creating the Aurora read replica another way. * Add some debug info. * Work around the silly registering of variables in Ansible. * Rename an RDS CloudWatch task for Aurora DBs and remove RDS debug info. * Add some Aurora info to aws_rds README file. * Use reader instead of replica for Aurora readers. * Remove db_cluster_identifier variable from non-Aurora RDS task. * Gpg servers fix pr 1.x (#571) * Moving key servers to a variable so we can set them. * Allowing us to disable sending keys completely. * Oops, doubled up on existing functionality. * Fixing var name. * Using a pipe to grep with 'command' cannot work, refactoring. * Making CI use the meta deploy role to test gitlab. * We mustn't assume AWS servers for deploy and controller. * Support termination protection in EC2. (#573) * Support termination protection in EC2. * Fixing CI vars. * Fixing CI vars. * Fix managed SSL key perms and the variable used for the private key. (#575) * Ec2 subnet lookup pr 1.x (#583) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Ec2 subnet lookup pr 1.x (#589) * First pass at EC2 subnet detection. * Touching subnet file to ensure it exists. * Trying a different approach, file module didn't work. * Switching back to file module. * We need to create the directory for new servers too. * Bad variable name. * Changing subnet lookup order to check for defined subnet first. * Fixing gitlab-runner overriders so upgrades do not break the runner. (#586) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Gitlab runner service override pr 1.x (#591) * Fixing gitlab-runner overriders so upgrades do not break the runner. * Fixing override file template. * Hopefully fixing CI. * Making sure the service directory exists. * We cannot use the deploy meta role in CI because of LDAP. * Changing dir perms and adding a force. * Debugging gitlab-runner directory creation issues in CI. * Fixing linting error. * Removing verbosity again but leaving 'stat' command in. * Pass db_cluster_identifier for RDS instance during ASG build (#600) * Pass RDS db_cluster_identifier, if present, during an ASG build. * Use correct variable name for RDS db_cluster_identifier. * Add a commented variable to ASG role for db_cluster_identifier so it's documented. * Also pass in the aurora_reader var from the ASG role when including the aws_rds role. (#605) * Removing obsolete MySQL config option log_syslog from template. (#607) * GitHub Actions - Rebuilt documentation. (#536) Co-authored-by: Code Enigma CI * Consistent default region pr 1.x (#611) * Moving all region settings to _aws_region var and adding README update. * Documentation update. * No need for region, IAM SAML setup is global, (#617) * Support ebs encryption pr 1.x (#609) * Adding volume encryption and type options plus a bit more flexibility on EBS control for EC2. * Setting more sane default instance sizes. * Adding more EBS options for ASGs. * Setting encryption to match AMI settings. * Setting encryption to match AMI settings. * We also need to dynamically set the ASGs own encrypt_boot var. * We need to merge the new branch changes before we can rebuild the docs. * Fixing merge command in CI. * Not sure toc.sh is actually executing. * Refactoring encrypt EBS flags to avoid detected loop condition in vars. * Safer CI, only adds .md files. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying to figure out CI logic for building docs. * Trying adding a git pull. * Setting git pull config options. * Reordering things. * Adding --allow-unrelated-histories to the git pull. * Trying a feature branch approach. * Forcing the GitHub action to fetch all git history. * Bad whitespace, naughty whitespace. * Trying a different PR action. * Do not merge the branch in, we only want the markdown changes. * Keeping the documentation branch clean. * We need to push a detached HEAD. * Do we need the checkout at all? * Adding a docs pull. * Allow install|update scripts in Drupal8+ (#599) * Add some flexibility to Packer (#633) * Add ability to pass on-error and force to Packer. * Add new Packer options to the ASG role as well. * Packer build options need to be declared before the file that is being built. * Allow Packer ssh_username to be set. * Making PHP >= 8.0 compatible (#634) * Packer VPC filtering (#638) * Add ability to set vpc_filter and subnet AZ for Packer builds. * Add fqcn-builtins to .ansible-lint warn_list for now. * GitHub Actions seemingly ignores warn_list. * Use simplified variables for Packer VPC stuff. * Only use one filter when filtering VPCs for Packer. * Cert management pr 1.x (#640) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Cert management pr 1.x (#642) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * Cert management pr 1.x (#644) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Cert management pr 1.x (#647) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Fix Nginx auth_message in vhost (#653) * Revert auth_message change in Nginx role for now. * Revert "Revert auth_message change in Nginx role for now." This reverts commit d030e4c628728ab553a0f5687497cf566bcd1179. * Add default for Nginx auth_message. * Cert management pr 1.x (#655) * Making sure we can't accidentally commit AWS API credentials. * Initial commit of ACM role. * Only pause for a get-certificate call if we want to export. * Updating docs. * Missed a couple of variables to update. * We cannot rely on the variable being nonexistent here. * Allowing ce-provision to set the basic auth message for Nginx. * Supporting SAN certs and tags on ACM certificates. * Fixing namespacing. * Auto-generating SSL certs for ALB and CloudFront. * More namespace fixes. * Fixing CI issue with missing AWS region var. * Reinstating replace_batch_size for ASGs to see if it speeds up infra builds. * Adding public IP option to LC config for ASGs. * Refactoring ACM domain handling so we can create DNS entries for each SAN domain. * Fixing mistake in domains set_fact. * Fixing AnsibleUndefined bug caused by skipped task. * Handling multiple domain validations for SAN certs. * Fixing bad variable name. * Fixing ASG DNS entries so it adds entries for SAN cert domains too. * For DNS validation we should not use --domain-validation-options at all. * Writing over the aws_acm.extra_domains var didn't work, setting a new var instead. * Bad dict structure. * Improving multi domain handling for ASG DNS. * Supporting multiple CloudFront aliases for an ASG. * Adding options to disable sign-up, sign-in and private projects. (#663) * Making ALB healthchecks optional and defaulting to disabled. (#670) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Remove alb healthchecks pr 1.x (#673) * Making ALB healthchecks optional and defaulting to disabled. * Defaulting back to ELB health checks. * Making sure new clusters won't fail because no ALB yet. * Allow user to set cachetool version in the opcache role. (#665) * Allow user to set cachetool version in the opcache role. * Adding a comment for a future improvement. * Adding a 'repack' option for AMIs and ASGs. (#675) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Ami repack option pr 1.x (#707) * Adding a 'repack' option for AMIs and ASGs. * Adding an option to force a Packer rebuild in an ASG. * Fixing EC2 instance look-up to use cluster name. * Separating AMI provisioning tasks into a tasks file that can be included. * Refactoring AMI operation to allow current behaviour to remain default. * Trying to delegate tasks to target repack instance. * Switching from import_tasks to include_tasks. * Fixing the instance DNS name var. * Changing approach to make a standalone machine to generate AMI from. * Gah! Typo! * AMI generation requires region and profile. * Didn't wrap instance_id lookup properly. * Fixing some missing namespaces. * Missed a bad var when fixing. * Adding full set of variables for EC2 instance. * Fixing AWS SSH key name. * Decided not to use the EC2 + EIP role. * Trying to add a pause after instance launch. * Passing the target branch to Ansible as a var. * Support absolute paths to playbooks. * Refactoring to make ce-provision call itself for AMI packing tasks. * Doubled up the script path. * Switching to base dir var for ce-provision call. * Moving temp EC2 instances for AMI creation to subnet with IGW. * State of EC2 instance needs to be started instead of running. * We need to delete the AMI we created before making another one. * Refactoring AMI repack variables for readability and removing volume size. * Missed a refactored var. * Defending against AMI volume size issues for ASGs. * Refactoring extra vars handling. * For some reason Packer seems to double the brackets. * Revert "For some reason Packer seems to double the brackets." This reverts commit 13ee8df42b80b102e9e19a01407b3afb69952ee5. * Fixing packer.json white space. * We need to reset the _aws_ami_extra_vars variable to an empty string before we rebuild it. * Slight refactor to move the extra vars building to the relevant included tasks. * Slight documentation change. * Moved config extra vars to ce-provision as they are globally sane. * Error in jinja list building for RDS. * Trailing VPC ID fields using the wrong variable. * Editing GitLab config so LE is enabled and auto-renewing by default. (#709) * Provide profile and region when creating an RDS parameter group, and also provide ability to set the parameter group for an Aurora RDS instance. (#712) * Add a task in ASG role to add an Aurora RDS endpoint. (#714) * Ssl le fixes pr 1.x (#725) * Allow multiple domains to be passed. * Ensuring we don't break older implementations. * First pass at a bash script we can run on cron for LE renewals. * Place the autorenewal script and create a cron entry. * Allowing the HTTP-01 listen port to be set to something other than 80. * Need single quotes within our double quotes. * Adding optional proxy for LE. * Revert "Adding optional proxy for LE." This reverts commit cf5720b450744915872eacafee82164300df90aa. * Adding support for apache and nginx plugins for certbot. * Fixing quote error. * Fixing SSL LE handilng and ensuring other handlers work with multiple provided domains. * Fixing issue with selecting first domain. * Correcting variable names. * LE cron template missing an endfor. * Missing carriage return in LE cron script. * Turns out you can't alter facts passed in via vars by include_role. * Fixing SSL defaults. * Realised if there are multiple different LE runs each needs it's own renewal cron. * Ensure builds don't fail if ssl.web_server isn't provided. * Defending against empty SSL services list. * Improving vhost template LE handling. * Adjusting SSL cert and key var names. * Adding a temporary vhost so newly added domains can request LE certs. * Tabbing error. * Fixing possible 'resolver' errors in Nginx if you use localhost. * Renaming loopvar from domain to certificate_domain to avoid clash with nginx role. * Tweaking Nginx LE handling and making certbot commands customisable. * Fixing minor typo. * Trying giving include_role the public flag. * Documentation updates. * Adding default value to Nginx vhost template. * Move drupal8 install/update config to drupal_common under if local block. (#733) * WIP: 58848 apache role pr 1.x (#667) * Catching up devel. (#243) * Devel (#175) * Wrong filter for efs info * Fix indentation error * Do not purge tags on existing EFS * Wrong name for updating EFS targets * Remove leftover loop * Fix error in subnet gathering * Split EFS creation * Use subnet ids * Wrong var name * Remove dead code * Wrong var * Missing subnet ids * Try not to loose existing SGs * Try to dedupe targets * Wrong syntax for combine * Typo in combining tupples * Wrong var name for append items * Fix appending subnets * Wrong list transformation * Switch to community module for efs * Remove unecessary complexity * Update documentation * Comment out Redefine Autoscale groups task for now and move some of its parameters to the other ASG creation task. * Remove replace_batch_size from ASG creation task, so it now defaults to 1. * Wrap Postfix handler commands in quotes. (#26) * Try using shell instead of command in Postfix handlers. * GitHub Actions integration (#29) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Use correct variable when setting the RDS instance type as part of ASG creation. (#32) Co-authored-by: Emlyn Kinzett * Fix alb health check (#31) * It's traffic-port, not target-port. Doh. * Update documentation. Co-authored-by: Emlyn Kinzett * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. * Generate saml sso requirements (#33) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. Co-authored-by: EmlynK * Generate saml sso requirements devel (#36) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * Cleaning variables to be generic and improving LDAP role handling. Co-authored-by: EmlynK * Generate saml sso requirements devel (#37) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Adding note on existence of 'config' directory for de-deploy to work. * Adding link to provided example config directory. Co-authored-by: EmlynK * phpfpm variables (#38) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#39) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. Co-authored-by: EmlynK * Override fastcgi_read_timeout in Nginx (#41) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Adding some PHP pool values that can be tweaked and the default_socket_timeout in php.ini. (#40) * Add ability to override Nginx fastcgi_read_timeout value. Co-authored-by: Greg Harvey * Generate saml sso requirements devel (#42) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. Co-authored-by: EmlynK * Generate saml sso requirements devel (#43) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Adding AWS CLI and credentials files to local ce-dev. * New AWS IAM Ansible role for creating the necessary IdP and role for admin access. * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lint changed files. * Linting a non-existent branch! * Tidying the documentation check. * Revert "Making /bin/bash the shell for provision." This reverts commit f5f35818205cd364a66a6e51c9f9d8254f016422. * Revert "Making /bin/bash the shell." This reverts commit df585b36877aa2328adc228cd8f76950e2853d36. * Revert "Tidying the documentation check." This reverts commit a0c964e15003c8486f4d01232af6e855a475298e. * Swapping Super-Linter for ansible-lint. * Running ansible-lint directly in the container. * Updating to latest Ubuntu. * Revert "Fixing test.sh to explicitly call bash." This reverts commit 521279ebc16a4c4459c981bfb813cf6aa4d4f3ad. * Fixing ansible-lint issues. * Revert "Fixing ansible-lint issues." This reverts commit 08a74046d567ea80acc080ec3cec60a7f8ceed48. * Removing old travis config. * Spacing issue fix. * Running tests on pull_request only. Co-authored-by: EmlynK * Cleaning variables to be generic and improving LDAP role handling. * Adding modified iam_alis module found on GitHub. * Adding management of IAM account alias. * Revert "Merge branch 'devel' into generate_saml_sso_requirements" This reverts commit a4051979f45aa2518db36fd2f9c9751b0364b69c, reversing changes made to b9e67325e2b69b9dd22483acaaec77ef80fa7177. * Fixing conflict with ce-dev/README.md. * Adding a template for SimpleSAMLphp account SPs. * Renaming template file for SAML and adding an include file for SAML admins. * Renaming template file for SAML admins. * Adding tasks for handling SimpleSAMLphp repo actions. * Refactoring git commits to defend against existing files causing commit fails. * Moving X509Certificate to a variable. * Wrapping the LinOTP code in the SAML template in an 'if' statement. * Extending the check to make sure LinOTP var isn't empty. * Removing references to LDAP in SAML groups attribute config, no need to assume. * Adding docs for the aws_iam_saml role. Co-authored-by: EmlynK * Adding aws_iam_saml docs (#45) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * GitHub actions into v1. (#30) * Adding Super Linter workflow for GitHub Actions. * Adding the documentation checker. * Getting GitHub Actions to continue on failure. * Seeing if Git exists. * Missing space. * Re-adding the checkout and the git commands. * Trying Pascal's script. * Adding both lines to the same 'run' command. * GitHub Actions wtf - splitting into two steps. * Trying steps on branch name. * Trying steps on branch name AGAIN. * Would be good to get the syntax right. * Trying different quotes. * Checking the contents of the github.ref variable. * Trying to add in Pascal's testing step. * Adding in /bin/sh to hopefully make test.sh run. * Google says try it with /bin/bash. * Trying a different Ubuntu version. * Installing net-tools to have ifconfig. * Updating testing shell (#28) * Use correct variable when setting the RDS instance type as part of ASG creation. (#27) * Fixing test.sh to explicitly call bash. GitHub Actions only supports Ubuntu containers and Ubuntu shell is dash by default, not bash. Consequently /bin/sh doesn't invoke bash, but dash, which causes some unexpected errors down the line. Co-authored-by: EmlynK * We probably don't need /bin/bash * Making test.sh executable. * Checking shell. * Explicitly setting shell to bash in provision.sh. * Trying ubuntu-16.04 as Travis used this. * Putting shell back. * Update provision.sh * Making /bin/bash the shell. * Making /bin/bash the shell for provision. * Explicitly stating bash again in YML. * Turns out the mkcert binary is out of date. * Compiled mkcert from source. * Fixing curl error. * Switching to wget. * Starting the linter again and renaming job. * Only lin… * GitHub Actions - updating markdown docs - 2025-01-15T18:30:36Z --------- Co-authored-by: Greg Harvey Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: Code Enigma CI Co-authored-by: EmlynK Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dionisio Co-authored-by: pascal Co-authored-by: Jamie Wiseman Co-authored-by: mdecorniquet <43240244+mdecorniquet@users.noreply.github.com> Co-authored-by: Matthieu Decorniquet Co-authored-by: Dionisio Co-authored-by: Jean Pierre Dentone Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: tim Co-authored-by: Nick Fawbert Co-authored-by: Miro Michalicka Co-authored-by: Miro Michalicka Co-authored-by: Matej Stajduhar Co-authored-by: Sunil Odedra <122627205+sunilodedra@users.noreply.github.com> Co-authored-by: Sunny Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: Klaus Purer Co-authored-by: Filip Rupic <123341158+filiprupic@users.noreply.github.com> Co-authored-by: filip --- .../workflows/ce-provision-publish-docs.yml | 2 + docs/roles/aws/aws_acl.md | 52 +++++++++++-------- docs/roles/aws/aws_credentials.md | 2 +- docs/roles/aws/aws_provision_ec2_keypair.md | 3 +- docs/roles/debian/gitlab.md | 11 ++-- roles/aws/aws_acl/README.md | 1 + roles/aws/aws_credentials/README.md | 2 +- roles/aws/aws_provision_ec2_keypair/README.md | 3 +- roles/debian/gitlab/README.md | 11 ++-- 9 files changed, 51 insertions(+), 36 deletions(-) diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index b87f9afe5..232a71d99 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,6 +58,8 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | + /usr/bin/git fetch origin 2.x + /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index f802c46a2..8cf21ccce 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -19,29 +19,37 @@ aws_acl: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place - ip_sets: - - rule_name: "Allowed-IPs-rule" - set_name: "Allowed-IPs-set" - description: "List of IPs to whitelist - Ansible managed" - action: allow - priority: 1 - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - country_codes: - - name: "allowed-countries" - action: allow - priority: 0.2 - list: - - GB - - HR - - name: "blocked-countries" - action: block - priority: 8 - list: - - RU - - CN + ip_sets: [] +# Example IP set to allow a list of safe IPs +# - rule_name: "Allowed-IPs-rule" +# set_name: "Allowed-IPs-set" +# description: "List of IPs to safelist - Ansible managed" +# action: allow +# priority: 1 +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 30.30.30.0/24 +# Example country code ruleset allowing one set of countries and blocking another +# country_codes: +# - name: "allowed-countries" +# action: allow +# priority: 0.2 +# list: +# - GB +# - HR +# - FR +# - ES +# - UY +# - JP +# - name: "blocked-countries" +# action: block +# priority: 8 +# list: +# - RU +# - CN regular_rules: + # Commonly required Drupal rule to allow Panels to function - name: allow_panels action: allow statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) diff --git a/docs/roles/aws/aws_credentials.md b/docs/roles/aws/aws_credentials.md index feee7956b..1ebd66959 100644 --- a/docs/roles/aws/aws_credentials.md +++ b/docs/roles/aws/aws_credentials.md @@ -12,7 +12,7 @@ Simple role generating credentials "profiles" in users $HOME/.aws/credentials. aws_credentials: - user: ce-dev profiles: - - name: profile1 + - name: profile1 # profiles should never contain hyphens access_key_id: XXX secret_access_key: XXXX - name: example diff --git a/docs/roles/aws/aws_provision_ec2_keypair.md b/docs/roles/aws/aws_provision_ec2_keypair.md index 5267a111c..2a9bc39ae 100644 --- a/docs/roles/aws/aws_provision_ec2_keypair.md +++ b/docs/roles/aws/aws_provision_ec2_keypair.md @@ -10,7 +10,8 @@ Creates a key pair for the current "provision user" aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" + key_name: "{{ _ce_provision_username }}@{{ ansible_hostname }}" + key_type: ed25519 # defaults to ed25519 as used in the ce_provision role, set to rsa to or ecdsa as necessary ``` diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index f4b11638b..de9001f30 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -24,14 +24,15 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary gitlab_route_53: state: present zone: "" # empty zone skips DNS creation - record: "{{ _domain_name }}" - type: A # change to CNAME if required - value: 1.2.3.4 # set IP if type: A and target hostname if type: CNAME + record: "gitlab.{{ _domain_name }}" + type: CNAME # change to A if required + value: "{{ _domain_name }}" # set IP if type: A and target hostname if type: CNAME aws_profile: another # Not necessarily the same as the "target" one for the server wildcard: true # Creates a matching wildcard CNAME letsencrypt: "true" # use built-in GitLab LetsEncrypt support by default letsencrypt: "true" # GitLab's built in SSL handling enabled by default @@ -90,10 +91,10 @@ gitlab: omniauth_auto_link_saml_user: "false" omniauth_block_auto_created_users: "true" omniauth_login_button_label: "Login with SAML" - omniauth_consumer_service_url: "https://{{ _domain_name }}/users/auth/saml/callback" + omniauth_consumer_service_url: "https://gitlab.{{ _domain_name }}/users/auth/saml/callback" omniauth_saml_cert_fingerprint: "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" # fingerprint of the SAML server's certificate omniauth_saml_endpoint_url: https://login.example.com/simplesaml/saml2/idp/SSOService.php # typical endpoint if you followed the SimpleSAMLphp QuickStart - https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html - omniauth_saml_entity_id: "{{ _domain_name }}" # can be any string, typically just the domain name + omniauth_saml_entity_id: "gitlab.{{ _domain_name }}" # can be any string, typically just the domain name omniauth_saml_attribute_statements: "uid: ['uid']" # typical basic set-up if your SAML authsource is OpenLDAP # Other services prometheus: "true" # enable/disable built-in Prometheus diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 3dbfc823e..de013688e 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -74,6 +74,7 @@ aws_acl: # - RU # - CN regular_rules: + # Commonly required Drupal rule to allow Panels to function - name: allow_panels action: allow statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) diff --git a/roles/aws/aws_credentials/README.md b/roles/aws/aws_credentials/README.md index feee7956b..1ebd66959 100644 --- a/roles/aws/aws_credentials/README.md +++ b/roles/aws/aws_credentials/README.md @@ -12,7 +12,7 @@ Simple role generating credentials "profiles" in users $HOME/.aws/credentials. aws_credentials: - user: ce-dev profiles: - - name: profile1 + - name: profile1 # profiles should never contain hyphens access_key_id: XXX secret_access_key: XXXX - name: example diff --git a/roles/aws/aws_provision_ec2_keypair/README.md b/roles/aws/aws_provision_ec2_keypair/README.md index 5267a111c..2a9bc39ae 100644 --- a/roles/aws/aws_provision_ec2_keypair/README.md +++ b/roles/aws/aws_provision_ec2_keypair/README.md @@ -10,7 +10,8 @@ Creates a key pair for the current "provision user" aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" + key_name: "{{ _ce_provision_username }}@{{ ansible_hostname }}" + key_type: ed25519 # defaults to ed25519 as used in the ce_provision role, set to rsa to or ecdsa as necessary ``` diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index f4b11638b..de9001f30 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -24,14 +24,15 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary gitlab_route_53: state: present zone: "" # empty zone skips DNS creation - record: "{{ _domain_name }}" - type: A # change to CNAME if required - value: 1.2.3.4 # set IP if type: A and target hostname if type: CNAME + record: "gitlab.{{ _domain_name }}" + type: CNAME # change to A if required + value: "{{ _domain_name }}" # set IP if type: A and target hostname if type: CNAME aws_profile: another # Not necessarily the same as the "target" one for the server wildcard: true # Creates a matching wildcard CNAME letsencrypt: "true" # use built-in GitLab LetsEncrypt support by default letsencrypt: "true" # GitLab's built in SSL handling enabled by default @@ -90,10 +91,10 @@ gitlab: omniauth_auto_link_saml_user: "false" omniauth_block_auto_created_users: "true" omniauth_login_button_label: "Login with SAML" - omniauth_consumer_service_url: "https://{{ _domain_name }}/users/auth/saml/callback" + omniauth_consumer_service_url: "https://gitlab.{{ _domain_name }}/users/auth/saml/callback" omniauth_saml_cert_fingerprint: "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" # fingerprint of the SAML server's certificate omniauth_saml_endpoint_url: https://login.example.com/simplesaml/saml2/idp/SSOService.php # typical endpoint if you followed the SimpleSAMLphp QuickStart - https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html - omniauth_saml_entity_id: "{{ _domain_name }}" # can be any string, typically just the domain name + omniauth_saml_entity_id: "gitlab.{{ _domain_name }}" # can be any string, typically just the domain name omniauth_saml_attribute_statements: "uid: ['uid']" # typical basic set-up if your SAML authsource is OpenLDAP # Other services prometheus: "true" # enable/disable built-in Prometheus From 07b9df8ceb9a0b4bb58f86ebd2e7c957d7ef9e14 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 16 Jan 2025 12:12:53 +0100 Subject: [PATCH 330/331] Allowing more flexible definition of sudo privileges via user_ansible. --- ce-dev/ansible/vars/_common/user_deploy.yml | 15 +++++++++++---- ce-dev/ansible/vars/_common/user_provision.yml | 15 +++++++++++---- install.sh | 8 +++++++- roles/debian/user_ansible/defaults/main.yml | 9 ++++++++- roles/debian/user_ansible/tasks/main.yml | 10 ++-------- roles/debian/user_deploy/defaults/main.yml | 9 ++++++++- roles/debian/user_provision/defaults/main.yml | 9 ++++++++- 7 files changed, 55 insertions(+), 20 deletions(-) diff --git a/ce-dev/ansible/vars/_common/user_deploy.yml b/ce-dev/ansible/vars/_common/user_deploy.yml index bb18c1fde..0130b82cb 100644 --- a/ce-dev/ansible/vars/_common/user_deploy.yml +++ b/ce-dev/ansible/vars/_common/user_deploy.yml @@ -1,9 +1,16 @@ +_user_deploy_username: ce-dev user_deploy: - username: ce-dev + username: "{{ _user_deploy_username }}" utility_host: "localhost" - utility_username: ce-dev - sudoer: false + utility_username: "{{ _user_deploy_username }}" + sudo_config: + entity_name: "{{ _user_deploy_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_deploy_username }}" groups: [] ssh_keys: - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== controller@127.0.0.1" - #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally + #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_deploy_username + '/.ssh/id_rsa.pub') }}" # works locally diff --git a/ce-dev/ansible/vars/_common/user_provision.yml b/ce-dev/ansible/vars/_common/user_provision.yml index fb9c97b97..3fdc118c4 100644 --- a/ce-dev/ansible/vars/_common/user_provision.yml +++ b/ce-dev/ansible/vars/_common/user_provision.yml @@ -1,9 +1,16 @@ +_user_provision_username: ce-dev user_provision: - username: ce-dev + username: "{{ _user_provision_username }}" utility_host: "localhost" - utility_username: ce-dev - sudoer: true + utility_username: "{{ _user_provision_username }}" + sudo_config: + entity_name: "{{ _user_provision_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_provision_username }}" groups: [] ssh_keys: - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== controller@127.0.0.1" - #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally + #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_provision_username + '/.ssh/id_rsa.pub') }}" # works locally diff --git a/install.sh b/install.sh index 8ecf56643..eddc31133 100755 --- a/install.sh +++ b/install.sh @@ -235,7 +235,13 @@ user_provision: update_password: always utility_username: "${CONTROLLER_USER}" utility_host: localhost - sudoer: true + sudo_config: + entity_name: "${CONTROLLER_USER}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "${CONTROLLER_USER}" groups: - bypass2fa ssh_keys: diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index acebeab30..7f42053a6 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -14,7 +14,14 @@ user_ansible: # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_ansible_username }}" - sudoer: false + sudo_config: {} # an empty dictionary will skip creating a sudo config + # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. + # entity_name: "{{ _user_ansible_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "ALL" + # filename: "{{ _user_ansible_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index e8b27767b..454906b3e 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -33,14 +33,8 @@ ansible.builtin.include_role: name: debian/sudo_config vars: - sudo_config: - entity_name: "{{ user_ansible.username }}" - hosts: "ALL" - operators: "(ALL)" - tags: "NOPASSWD:" - commands: "ALL" - filename: "{{ user_ansible.username }}" - when: user_ansible.sudoer + sudo_config: "{{ user_ansible.sudo_config }}" + when: user_ansible.sudo_config | length > 0 - name: Copy SSH public key to target. ansible.posix.authorized_key: diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 1d83a8cd7..b8916826f 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -15,7 +15,14 @@ user_deploy: # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_deploy_username }}" - sudoer: false + sudo_config: {} + # Example config allowing for feature branching. Uncomment to use. + # entity_name: "{{ _user_deploy_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "ALL" + # filename: "{{ _user_deploy_username }}" # List of additional groups to add the user to. groups: - docker # add the docker group so we can do container builds diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index f10896c32..3bd885e27 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -14,7 +14,14 @@ user_provision: # Local username of the system user. utility_host: "localhost" utility_username: "{{ _user_provision_username }}" - sudoer: true + # Sudo configuration for full passwordless admin privileges. + sudo_config: + entity_name: "{{ _user_provision_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_provision_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). From 6c8e090efb3db4c915ad8fdb47140dff5d21a297 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 16 Jan 2025 12:40:11 +0100 Subject: [PATCH 331/331] Fixing ce-deploy example. --- roles/debian/user_deploy/defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index b8916826f..31934a720 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -16,12 +16,13 @@ user_deploy: utility_host: "localhost" utility_username: "{{ _user_deploy_username }}" sudo_config: {} - # Example config allowing for feature branching. Uncomment to use. + # Example config allowing for feature branching. Allows manipulation of NGINX vhosts and cron.d files. + # Uncomment to use. # entity_name: "{{ _user_deploy_username }}" # hosts: "ALL" # operators: "(ALL)" # tags: "NOPASSWD:" - # commands: "ALL" + # commands: "/usr/bin/systemctl reload nginx, /usr/bin/systemctl restart nginx, /usr/sbin/nginx -t, sudoedit /etc/nginx/sites-available, sudoedit /etc/nginx/sites-enabled, sudoedit /etc/cron.d" # filename: "{{ _user_deploy_username }}" # List of additional groups to add the user to. groups: